Cisco Support Community
Community Member

ACS PEAP and VPN AD authentication problem


I'm having a setup problem with my ACS, I need to authenticate users to the wireless network using peap and I'm also using this ACS to authenticate VPN.

I have two AD domain user groups for this, one called Wireless and the other VPN and I'm using the External database group mapping in the ACS (the acs is joined to this domain).

At the moment the Authentication priority is sorted it this way.

1. VPN to ACS VPN group.

2. Wireless to ACS Wireless group

The problem is that we don't want people that are in the VPN AD group to have access to the Wireless network and vice versa.

But I'm at a loss how to configure it so that users who are in BOTH groups get access, because it seems that when I use NAS filtering on the ACS VPN group, people get authentication rejected.

So let's say Stan connects to the wireless network, Stan is a member of both groups.

Stan Connects -> ACS goes through External Binding Order -> Stan is the member of VPN group -> Stan get's denied Access due to NAS filter on ACS VPN group -> Stan get's access rejected.

I might be missing something here, does anyone have an idea to get this working or tell the ACS to try the NEXT group mapping in the list ?

Thanks in advance.


Community Member

Re: ACS PEAP and VPN AD authentication problem


i think you can use the ACL on the ACS to avoid this problem

and this example for the windows ACS

CreatePlease to create content