I have simillar problem. I created two groups in ACS and map one group to AD (DeviceAdmin) and other group to Users in AD. Now users in member of Domain Admin cant access my AAA clients and rest can access the AAA clients, but I need the otherway around.
Let me tell you briefly my issue.
1. I need all users in AD to authenticate with AD username/password
2.Only one group in AD need to access my AAA clients
3. Only one group in my AD need to authenticate with VPN client.
Attached are the ACS group mapping and NAR in group DeviceAdmin.
Appreciate if you can give me a clear steps for the above requirement please....
To achieve it you need to set up NAR's. Edit group settings ( device admins ) ----> Per group defined network access restrictions---->Enable IP based ----> From drop down choose permit--->In AAA clients drop down choose clients you want to allow access---> Use * for port and IP address --->Enter.
ACS will permit access to only above aaa clients and rest all be denied.
Same way do it for AD group that should only access vpn.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...