https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066722#M205464 <HTML><HEAD></HEAD><BODY><P> Thank you.&nbsp; I found the problem with your assistance.&nbsp; Had the permit set. Then set it to DenyAccess.</P></BODY></HTML> Thu, 08 Nov 2012 17:28:42 GMT jeff.ortega 2012-11-08T17:28:42Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066720#M205457 <P>Can anyone help me figure out what I have wrong or have missing?</P><P></P><P>I've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.</P><P></P><P>This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.</P><P></P><P>My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.<IMG src="https://community.cisco.com/legacyfs/online/legacy/8/3/9/110938-11-5-2012%2011-02-03%20AM.jpg" alt="11-5-2012 11-02-03 AM.jpg" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><P></P><P>All the logins hit the Admin account, even though the id in AD is not in the that AD group.&nbsp; I have something screwed up.</P> Mon, 11 Mar 2019 02:44:53 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066720#M205457 jeff.ortega 2019-03-11T02:44:53Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066721#M205462 <HTML><HEAD></HEAD><BODY><P>Check your authorization rules, make sure the default rule isnt set to Permit. Group Mapping is only mapping AD groups to internal ACS groups, we need to check your authorization rules to see which policies they users are hitting, you may want to reset the hit count and test to see which policy is allowing access.</P><P></P><P>Thanks,</P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Mon, 05 Nov 2012 21:42:56 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066721#M205462 Tarik Admani 2012-11-05T21:42:56Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066722#M205464 <HTML><HEAD></HEAD><BODY><P> Thank you.&nbsp; I found the problem with your assistance.&nbsp; Had the permit set. Then set it to DenyAccess.</P></BODY></HTML> Thu, 08 Nov 2012 17:28:42 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066722#M205464 jeff.ortega 2012-11-08T17:28:42Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066723#M205467 <HTML><HEAD></HEAD><BODY><P>I have a similar setup but i do not see a deny access authorization profile to use for the default. can you explain how you set the default to deny access</P></BODY></HTML> Wed, 30 Jan 2013 01:36:07 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066723#M205467 dpatzold1979 2013-01-30T01:36:07Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066724#M205473 <HTML><HEAD></HEAD><BODY><P>Under authorization, check the check box for default, click on Edit and select the deny access profile.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/3/2/127230-Untitled.jpg" class="jive-image" /></P><P></P><P>Regards</P><P>Minakshi (do rate the helpful post)</P></BODY></HTML> Wed, 30 Jan 2013 01:42:18 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066724#M205473 minkumar 2013-01-30T01:42:18Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066725#M205475 <HTML><HEAD></HEAD><BODY><P>Somthing must be broken for my install of 5.4 because i do not have a deny access authorization profile.. only permit access </P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/2/3/2/127232-2013-01-29_174554.png" class="jive-image" /></P></BODY></HTML> Wed, 30 Jan 2013 01:46:31 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066725#M205475 dpatzold1979 2013-01-30T01:46:31Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066726#M205482 <HTML><HEAD></HEAD><BODY><P>UG never mind.. you have to acctually click on select button to see the deny access profile which does not show up in the policy elements..&nbsp; thanks man it worked.</P></BODY></HTML> Wed, 30 Jan 2013 01:58:46 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-how-to-only-allow-specific-ad-groups-to-login/m-p/2066726#M205482 dpatzold1979 2013-01-30T01:58:46Z