https://community.cisco.com/t5/network-access-control/authentication-problem-in-acs/m-p/2080549#M146570 <P>Hi,</P><P></P><P>i have created two ssid on WLC &amp; authentication Via ACS to AD. after that i have configure TACACS+ on same ACS Server but some of the users can login in Wi-Fi which are not in member of Wi-Fi group.</P><P></P><P>Please find the below ACS configuration.</P><P></P><P>Group 1 &gt;&gt;&gt;&gt;&nbsp; HIgh managemnet Users&nbsp; " this user can login in SSID 1"</P><P>Group 3 &gt;&gt;&gt;&gt; Corporate User&nbsp;&nbsp;&nbsp; "this users can login in SSID 2"</P><P></P><P>In group configuration i have configure DNIS/CLI based configuration.</P><P></P><P>AAA client select</P><P>Port *</P><P>CLI * </P><P>DNIS *SSID1</P><P></P><P>same configuration for SSID 2</P><P></P><P>after that i have creat two more group for TACACS + for Device authentication (Shell command based) (Authentication through AD)</P><P></P><P>Group 5 &gt;&gt;&gt;&gt; Full Access</P><P>Group 6 &gt;&gt;&gt;&gt; Read Only Access.</P><P></P><P>but now what ever user are in group 5 &amp; 6 those are login in Wifi.</P><P></P><P>how to stop them?</P> Mon, 11 Mar 2019 02:53:02 GMT hirenparekh12 2019-03-11T02:53:02Z https://community.cisco.com/t5/network-access-control/authentication-problem-in-acs/m-p/2080549#M146570 <P>Hi,</P><P></P><P>i have created two ssid on WLC &amp; authentication Via ACS to AD. after that i have configure TACACS+ on same ACS Server but some of the users can login in Wi-Fi which are not in member of Wi-Fi group.</P><P></P><P>Please find the below ACS configuration.</P><P></P><P>Group 1 &gt;&gt;&gt;&gt;&nbsp; HIgh managemnet Users&nbsp; " this user can login in SSID 1"</P><P>Group 3 &gt;&gt;&gt;&gt; Corporate User&nbsp;&nbsp;&nbsp; "this users can login in SSID 2"</P><P></P><P>In group configuration i have configure DNIS/CLI based configuration.</P><P></P><P>AAA client select</P><P>Port *</P><P>CLI * </P><P>DNIS *SSID1</P><P></P><P>same configuration for SSID 2</P><P></P><P>after that i have creat two more group for TACACS + for Device authentication (Shell command based) (Authentication through AD)</P><P></P><P>Group 5 &gt;&gt;&gt;&gt; Full Access</P><P>Group 6 &gt;&gt;&gt;&gt; Read Only Access.</P><P></P><P>but now what ever user are in group 5 &amp; 6 those are login in Wifi.</P><P></P><P>how to stop them?</P> Mon, 11 Mar 2019 02:53:02 GMT https://community.cisco.com/t5/network-access-control/authentication-problem-in-acs/m-p/2080549#M146570 hirenparekh12 2019-03-11T02:53:02Z https://community.cisco.com/t5/network-access-control/authentication-problem-in-acs/m-p/2080550#M146577 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>In your authorization rules is the default rule set to Permit? If so please set it to Deny, when ACS is configured brand new the default policies are always set to permit.</P><P></P><P>If that is not the case please post screenshots of your policies, and also of the authentication report of the user that was allowed access.</P><P></P><P>Hope that helps.</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Fri, 14 Dec 2012 04:51:47 GMT https://community.cisco.com/t5/network-access-control/authentication-problem-in-acs/m-p/2080550#M146577 Tarik Admani 2012-12-14T04:51:47Z https://community.cisco.com/t5/network-access-control/authentication-problem-in-acs/m-p/2080551#M146584 <HTML><HEAD></HEAD><BODY><P><BR />Hi</P><P>&nbsp; </P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/4/6/118640-Group%201.png" class="jive-image" /></P><P></P><P>I have configure above setting for SSID 1 in Group 1 &amp; MAP security group (with AD) with Group 1 in external Database.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/1/4/6/118641-Group%202.png" class="jive-image" /></P><P></P><P>I have configure above setting for SSID 2 in Group 3 &amp; MAP security group (with AD) with Group 3 in external Database.</P><P></P><P>till the time user maped in Group 3 is not login in group1 SSID.</P><P></P><P>after that i have configure TACACS + on same server with</P><P></P><P>Group 5 &gt;&gt;&gt;&gt; Full Access ( Shell command authorization Set)</P><P></P><P>Group 6 &gt;&gt;&gt;&gt; Read Only Access.( Shell command authorization Set)</P><P></P><P></P><P>Exp. hparekh is member of Group 6 &amp; Group 3 but now it is login in Group 1 SSID.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/2/4/6/118642-Tacacs%2B.png" class="jive-image" /></P><P></P><P></P><P>Please find the External database setting</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/3/4/6/118643-Database.png" class="jive-image" /></P></BODY></HTML> Sun, 30 Dec 2012 09:10:28 GMT https://community.cisco.com/t5/network-access-control/authentication-problem-in-acs/m-p/2080551#M146584 hirenparekh12 2012-12-30T09:10:28Z