Cisco Support Community
Community Member

Documentation on how to grant "VPN","Wireless" access to Windows group

Win2003 active directory.

I am planning to create a Windows security group (global) "WirelessUsers" and a group named "VPNUsers".

Then I would need to go to ACS 3.3 and need to configure mapping to allow such groups to access wireless and VPN respectively. Users which are not members of such groups should not have access to VPN or wireless.

Few questions

1) Can you point me to a documentation which shows a similar configuration ?

I have browsed the Cisco website and so far I have seen the section "Set group membership"

But I did not see "how to" sections showing how I can grant VPN or wireless permissions for a certain Windows active directory security group.

2) I see that the latest version of ACS is 4.0 ? Anyone out there is using ACS 4.0, is that a stable product or should I be OK with ACS 3.3 ?

Community Member

Re: Documentation on how to grant "VPN","Wireless" access to Win

Essentially what you will have to do is create Network Access Restrictions for each group in ACS:

So for example, you have two AD groups and two ACS groups: AD_VPN and AD_Wireless, ACS_VPN and ACS_Wireless.

If you're Database Group Mapping, you'll have:

- AD_VPN maps to the ACS_VPN group

- AD_Wireless maps to the ACS_Wireless group

Then in your ACS_VPN group, you would create a network access restriction which states that users in this group can ONLY authenticate to your VPN headend. Similarly with wireless, the ACS_Wireless group has it's own NAR that restricts access to only Wireless APs.

So what happens is, when a user who is only in the AD_VPN group in Active Directory tries to VPN in, he/she gets mapped to the ACS_VPN group, authenticates successfully, and is given VPN access. If this same user tries to log into wireless, he/she will still get mapped to the ACS_VPN group, but because of the NAR applied to that group, will be denied access. Similarly, this goes for wireless users.

I hope this is the functionality that you were looking for.



CreatePlease to create content