Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
4
Helpful
3
Replies

Wireless and ACS mappings.

news2010a
Level 3
Level 3

‎10-30-2006 02:21 PM - edited ‎03-10-2019 02:49 PM

Hi, can you help me on this ?

Cisco ACS 3.3.

Goal:I want to allow only users members of security group 'myActiveDirectoryDomain\WirelessACS' be able to authenticate.

I am doing this in a lab environment before going into production:

On ACS 3.3, I mapped a group named "ACSWireless". I created the respective group "DomainWireless" in active directory.

My question is:

On ACS 3.3, which option should I pick under "Interface Configuration" in order to configure the options on ACS which will allow the AAA client 'Access Points' to gain access ? I found an option for VPN, but not wireless. That's not very clear to me.

On "Group setup", I ended up with

options "Jump to" Access Restrictions,

IP Address Assignment, RADIUS (Cisco IOS/PIX)

and RADIUS IETF.

I don't see anything explicit there for 'wireless' or

access points.

Your direction on this would be really appreciated. Please find attached screenshots showing how my configuration looks like.

Labels:
Preview file
2305 KB
Preview file
2305 KB
0 Helpful
3 Replies 3

news2010a
Level 3
Level 3

‎10-30-2006 06:43 PM

Let me add that I am trying to make the ACS authenticate users through LEAP.

On the respective Access Point 1200, "Express Security" menu, I already informed the ACS server IP address there.

0 Helpful

mihai.gagea
Level 1
Level 1

‎11-30-2006 10:08 AM

If i understood right you want a specific group in ACS database to be allowed to authenticate only against a single NAS or NDG.

I have done this the following way:

I created a NDG (Network Device Group) called Wireless APs. I added every AP in this group. The you go to the group setup and edit the group settings. Check the "Per Group Defined Network Access Restrictions" and add your NDG containing the wireless APs. Use "*" wildcard for port and address filters so your clients should be allowed to connect to every AP on every port. That's all. You can test this by not including an AP in the NDG. Clients connecting to that AP shouldn't be allowed to connect because NAR is in place and this AP is not in the allowed list.

If you can't create NDGs then go to Interface configuration / Advanced options and check the Network Device Group option (not enabled by default).

If you don't see "Network Access Restrictions" on the group settings page then go again to Interface Configuration / Advanced Options and check the "Group-Level Network Access Restrictions" (also not enabled by default).

0 Helpful

darpotter
Level 5
Level 5

‎11-30-2006 12:08 PM

Hi

When you said "I want to allow only users members of security group 'myActiveDirectoryDomain\WirelessACS' be able to authenticate" did you mean all other AD users should *not* ?

If this is the case, edit the group mappings to map all other AD groups to "no access".

Any AD user who is not in the correct group will get rejected.

If you're going to use NARs make sure you use DNIS/CLID NARs at these are Layer 2.

Customers Also Viewed These Support Documents