Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How can I deny access to certain AD users in Cisco Secure ACS 5.4?

I feel stupid asking this question as I think it should be an easy, but I cannot figure it out. I'm new to Cisco Secure ACS and it was in place when I started my current job, so I was not the one who configured it.

We use our ACS for wireless access. Active Directory is linked to the ACS and the selected groups are Domain Users and Domain Computers. As we sit right now, every enabled AD user has access to the wireless. This makes sense to me, since the entire Domain Users group is selected. We want to create a new group, say Deny Wireless, and put service and generic accounts in this group. That way any normal user account can have wireless access, but the few other accounts are denied.

The other way I'm thinking this may work without changing a whole lot, would be if we just created a new group called Wireless Access and put all users that we wanted to have access in this group. Then instead of having the Domain Users group selected in ACS, we just select the Wireless Access group.

Please let me know the best way to do this. Thanks!

New Member

How can I deny access to certain AD users in Cisco Secure ACS 5.


I believe it is best to use the AD groups to control access, once you have you Access Policies configured. Sounds like your on the right track.


How can I deny access to certain AD users in Cisco Secure ACS 5.

ACS supports the authentication of  computers that are running the Microsoft Windows operating systems that  support EAP computer authentication. Machine authentication, also  called computer authentication, allows networks services only for  computers known to Active Directory. This feature is especially useful  for wireless networks, where unauthorized users outside the physical  premises of your workplace can access your wireless access points.

When machine authentication is  enabled, there are three different types of authentications. When  starting a computer, the authentications occur in this order:

Machine authentication—ACS  authenticates the computer prior to user authentication. ACS checks the  credentials that the computer provides against the Windows identity  store. If you use Active Directory and the matching computer account in  AD has the same credentials, the computer gains access to Windows domain  services.

User domain authentication—If  machine authentication succeeded, the Windows domain authenticates the  user. If machine authentication failed, the computer does not have  access to Windows domain services and the user credentials are  authenticated by using cached credentials that the local operating  system retains. In this case, the user can log in to only the local  system. When a user is authenticated by cached credentials, instead of  the domain, the computer does not enforce domain policies, such as  running login scripts that the domain dictates.

Please Check the below link for active directory  joining and managing users and groups

New Member

How can I deny access to certain AD users in Cisco Secure ACS 5.

Hi Logan,

I am also with Rashid. Having Access Policies configured will solve your case. Below is the link that might help you.

New Member

How can I deny access to certain AD users in Cisco Secure ACS 5.

Thanks for the responses. I'll check out the 2 links and try to get the groups set up.

CreatePlease to create content