06-20-2007 09:27 AM - edited 03-10-2019 03:13 PM
I have a Windows 2003 DC with Secure ACS 4.1 installed. I have created a "VPN users" and a "Wireless users" group in AD. I have mapped those groups to the respective groups (same name) in ACS. What I am trying to do is force my Concentrator 3000 to use only the VPN users group to Authenticate for VPn and the wireless AP's to use only the wireless users group to authenticate for wireless access. What I run into now is if I have the groups in this order 1. VPN group 2. Wireless group. And then I place a user account in only the wireless group, then try to authenticate from the concentrator it still works and the user is placed in the wireless group. Can anyone help or is this a case where ACS will keep going down the list similar to an access-list and once it finds a match it uses it?
Thanks
06-20-2007 09:38 AM
Hi,
The solution here is to use NAR's.
On VPN group in acs you need to permit only VPN3000 (Rest all is denied). Now when VPN user will try to login to AP , ACS would not allow it login and vice versa.
Here is the link,
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/c.htm#wp697095
Regards,
Jagdeep
06-20-2007 09:47 AM
06-20-2007 09:55 AM
Looks good. Thanks for the info. I tried those yesterday but never double checked and I guess when I restarted the services I never entered the info and it didnt take. Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide