How can I deny access to certain AD users in Cisco Secure ACS 5.4?
I feel stupid asking this question as I think it should be an easy, but I cannot figure it out. I'm new to Cisco Secure ACS and it was in place when I started my current job, so I was not the one who configured it.
We use our ACS for wireless access. Active Directory is linked to the ACS and the selected groups are Domain Users and Domain Computers. As we sit right now, every enabled AD user has access to the wireless. This makes sense to me, since the entire Domain Users group is selected. We want to create a new group, say Deny Wireless, and put service and generic accounts in this group. That way any normal user account can have wireless access, but the few other accounts are denied.
The other way I'm thinking this may work without changing a whole lot, would be if we just created a new group called Wireless Access and put all users that we wanted to have access in this group. Then instead of having the Domain Users group selected in ACS, we just select the Wireless Access group.
Please let me know the best way to do this. Thanks!
How can I deny access to certain AD users in Cisco Secure ACS 5.
ACS supports the authentication of computers that are running the Microsoft Windows operating systems that support EAP computer authentication. Machine authentication, also called computer authentication, allows networks services only for computers known to Active Directory. This feature is especially useful for wireless networks, where unauthorized users outside the physical premises of your workplace can access your wireless access points.
When machine authentication is enabled, there are three different types of authentications. When starting a computer, the authentications occur in this order:
•Machine authentication—ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows identity store. If you use Active Directory and the matching computer account in AD has the same credentials, the computer gains access to Windows domain services.
•User domain authentication—If machine authentication succeeded, the Windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. In this case, the user can log in to only the local system. When a user is authenticated by cached credentials, instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.
Please Check the below link for active directory joining and managing users and groups
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :