Wireless authentification: ACS to AD group mapping issue!

dcoulanges · ‎10-31-2007

Hi,

we have the following implementation:

Cisco Access Points mainly 1200 series and 1130, Cisco ACS v.4.1, and MS Active Directory.

I've used a self generated Certificate on the Cisco ACS, and installed it on the local PC, also linked Cisco ACS with AD, with a group mapping for allowing access to WLAN.

I got two group mapping in ACS to two domain group in Active Directory:

ACS -Group 1 = AD -Wifi_student

ACS -group 2 = AD -Wifi_employe

when a user is not in the both domain group(AD) try to authenticate, the user pass the authentification. it suppose to fail. Only the user in the group a alllow to authenticate.

do you think it is a bug of ACS 4.1 ?

do you think it is a misconfiguration of the windows policy ?

do you think to create local group instead domin group

nathan.haley · ‎10-31-2007

Hello,

Not sure if this is your issue, but in ACS there is a default policy if they do not authenticate. You can set this to deny, local authentication, or if authenticating to devices have it go to a group with no priviliges. I am thinking that it is set to authenticate automatically.

nathan.haley · ‎10-31-2007

Hello,

Not sure if this is your issue, but in ACS there is a default policy if they do not authenticate. You can set this to deny, local authentication, or if authenticating to devices have it go to a group with no priviliges. I am thinking that it is set to authenticate automatically from the domain in general if the groups fail and maps to the default group policy. (in ACS)

I was able to create a group in AD authenticate to it and set the default behavoir to deny if it did not auth to that group or locally on the ACS server