Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

AS Dialup User Access

Access server authentication issue, we have an AD group called dialinusers, member of this group can dial in to the network with limited access to resources. The access server AS1 will query the ACS server for authentication, ACS will check the user based on UN and PW against groups configured on the ACS server. Dial in user maybe member of more than one group, if so the AS1 will authorize access base on the entries of one of those other groups, this should not happen, AS1 should deny access if dial in user is not a member of the dialinuser group.

The ACS server has group mapping to active directory NT groups, this works fine with VPN if a user logs in under one group but is a member of another group the ACS will assign the user to the correct group after UN and PW are authenticated.

Below is a partial config from AS1 showing the aaa config, ppp dial in user should default to the dialinuser group and allow access based on there local UN and PW only if they are member of dialinusers group. This is not working as it should the issue is dial in user are allowed access based on membership of groups other than dialinusers. Any help on how this AS should be configed would be a great help. Thanks

aaa group server radius dialinusers

server auth-port 1645 acct-port 1646


aaa authentication login default group radius enable

aaa authentication login local-only local

aaa authentication ppp default group dialinusers local

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common


Re: AS Dialup User Access

The syntax of the following command is incorrect:

aaa authentication ppp default group dialinusers local

Correct syntax:

aaa authentication ppp default group radius local

You had already mentioned which radius group to be used - 'aaa group server radius dialinusers'

New Member

Re: AS Dialup User Access

Thank you, I will try your suggestion tomorrow.

CreatePlease to create content