Goal:I want to allow only users members of security group 'myActiveDirectoryDomain\WirelessACS' be able to authenticate.
I am doing this in a lab environment before going into production:
On ACS 3.3, I mapped a group named "ACSWireless". I created the respective group "DomainWireless" in active directory.
My question is:
On ACS 3.3, which option should I pick under "Interface Configuration" in order to configure the options on ACS which will allow the AAA client 'Access Points' to gain access ? I found an option for VPN, but not wireless. That's not very clear to me.
On "Group setup", I ended up with
options "Jump to" Access Restrictions,
IP Address Assignment, RADIUS (Cisco IOS/PIX)
and RADIUS IETF.
I don't see anything explicit there for 'wireless' or
Your direction on this would be really appreciated. Please find attached screenshots showing how my configuration looks like.
If i understood right you want a specific group in ACS database to be allowed to authenticate only against a single NAS or NDG.
I have done this the following way:
I created a NDG (Network Device Group) called Wireless APs. I added every AP in this group. The you go to the group setup and edit the group settings. Check the "Per Group Defined Network Access Restrictions" and add your NDG containing the wireless APs. Use "*" wildcard for port and address filters so your clients should be allowed to connect to every AP on every port. That's all. You can test this by not including an AP in the NDG. Clients connecting to that AP shouldn't be allowed to connect because NAR is in place and this AP is not in the allowed list.
If you can't create NDGs then go to Interface configuration / Advanced options and check the Network Device Group option (not enabled by default).
If you don't see "Network Access Restrictions" on the group settings page then go again to Interface Configuration / Advanced Options and check the "Group-Level Network Access Restrictions" (also not enabled by default).
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...