CAN YOU USE SEPERATE AD GROUPS WITH SEPERATE ACS GROUPS?

unclejigz · ‎06-20-2007

I have a Windows 2003 DC with Secure ACS 4.1 installed. I have created a "VPN users" and a "Wireless users" group in AD. I have mapped those groups to the respective groups (same name) in ACS. What I am trying to do is force my Concentrator 3000 to use only the VPN users group to Authenticate for VPn and the wireless AP's to use only the wireless users group to authenticate for wireless access. What I run into now is if I have the groups in this order 1. VPN group 2. Wireless group. And then I place a user account in only the wireless group, then try to authenticate from the concentrator it still works and the user is placed in the wireless group. Can anyone help or is this a case where ACS will keep going down the list similar to an access-list and once it finds a match it uses it?

Thanks

Jagdeep Gambhir · ‎06-20-2007

Hi,

The solution here is to use NAR's.

On VPN group in acs you need to permit only VPN3000 (Rest all is denied). Now when VPN user will try to login to AP , ACS would not allow it login and vice versa.

Here is the link,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/c.htm#wp697095

Regards,

Jagdeep

Jagdeep Gambhir · ‎06-20-2007

Pls see this attachement. On VPN group you need to Permit VPN3000 and same thing needs to be on Wireless Group in acs.

unclejigz · ‎06-20-2007

Looks good. Thanks for the info. I tried those yesterday but never double checked and I guess when I restarted the services I never entered the info and it didnt take. Thanks again