I am having a problem with trying to prevent access from particular users trying to come in via VPN. We have ACS 4.2.0 build 124 patch 4 serving as a link between our ASA's and MS AD. The users are supposed to be able to be in the RAS Group which is mapped to the VPN user group in ACS. We have tried removing the user from the AD RAS group and waited about 15 minutes before trying to remote in as the user. We could still get in. According to the reports I looked at from ACS, it thinks the user is still in the VPN group in ACS which is mapped only to the RAS group in AD.
The only way I have found to keep the user from coming in is to either disable their account via ACS or have the helpdesk folks go into AD and disable the account there. Dont really want to let the help desk folks into ACS to disable accounts there. The end result is that we want to disable remote access only while leaving the account active which would require the particular folks to come into the office to do what needs to be done.
Everything I see points to a problem between ACS and AD. I have been looking for troubleshooting docs but havent found anything so far.
We are going to move to ACS 5.1 but ran into significant problems with the migration utility which TAC indicates wont be fixed for some time (if ever).
This means that we need to get this fixed with ACS 4.2.
One would be under the domain name in the "External User Databases", "Database Group Mapping", "Windows NT/2000", then your Domain name... and see if he's in any other Windows AD groups that also map to that ACS group... If you have a group of VPN-DENIED, then move that to the top and assign that to him then he should "match" that one first.
The second would be in the "External User Databases", "Database Configuration",", Microsoft Windows" then "Change/Configure" (something like that) there are options there that apply to ALL user mappings that you may want to look through. You may find a solution there, but you need to be careful, because they do apply to all users, so if you require something, it may "break" everyone until you "fix" their accounts to match.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...