Cisco Support Community
Community Member

Wireless and ACS mappings.

Hi, can you help me on this ?

Cisco ACS 3.3.

Goal:I want to allow only users members of security group 'myActiveDirectoryDomain\WirelessACS' be able to authenticate.

I am doing this in a lab environment before going into production:

On ACS 3.3, I mapped a group named "ACSWireless". I created the respective group "DomainWireless" in active directory.

My question is:

On ACS 3.3, which option should I pick under "Interface Configuration" in order to configure the options on ACS which will allow the AAA client 'Access Points' to gain access ? I found an option for VPN, but not wireless. That's not very clear to me.

On "Group setup", I ended up with

options "Jump to" Access Restrictions,

IP Address Assignment, RADIUS (Cisco IOS/PIX)


I don't see anything explicit there for 'wireless' or

access points.

Your direction on this would be really appreciated. Please find attached screenshots showing how my configuration looks like.

Community Member

Re: Wireless and ACS mappings.

Let me add that I am trying to make the ACS authenticate users through LEAP.

On the respective Access Point 1200, "Express Security" menu, I already informed the ACS server IP address there.

Community Member

Re: Wireless and ACS mappings.

If i understood right you want a specific group in ACS database to be allowed to authenticate only against a single NAS or NDG.

I have done this the following way:

I created a NDG (Network Device Group) called Wireless APs. I added every AP in this group. The you go to the group setup and edit the group settings. Check the "Per Group Defined Network Access Restrictions" and add your NDG containing the wireless APs. Use "*" wildcard for port and address filters so your clients should be allowed to connect to every AP on every port. That's all. You can test this by not including an AP in the NDG. Clients connecting to that AP shouldn't be allowed to connect because NAR is in place and this AP is not in the allowed list.

If you can't create NDGs then go to Interface configuration / Advanced options and check the Network Device Group option (not enabled by default).

If you don't see "Network Access Restrictions" on the group settings page then go again to Interface Configuration / Advanced Options and check the "Group-Level Network Access Restrictions" (also not enabled by default).


Re: Wireless and ACS mappings.


When you said "I want to allow only users members of security group 'myActiveDirectoryDomain\WirelessACS' be able to authenticate" did you mean all other AD users should *not* ?

If this is the case, edit the group mappings to map all other AD groups to "no access".

Any AD user who is not in the correct group will get rejected.

If you're going to use NARs make sure you use DNIS/CLID NARs at these are Layer 2.

CreatePlease to create content