https://community.cisco.com/t5/network-access-control/same-user-in-different-acs-groups/m-p/740923#M421031 <P>Hello</P><P></P><P>We have this scenario:</P><P></P><P>A user at home connects via SSL VPN is authenticated by Cisco ACS/RADIUS. User ends up in a specifig SSL VPN group on the ACS. This group is configured with specific properties for SSL VPN.</P><P>Now the same user comes to work with his/her private laptop and wants to access the guest wlan which our policy allows. We have a WLC4402 providing the guest wlan. User opens browser and logs in to the guest wlan, gets authenticated on the Cisco ACS/RADIUS and ends up in the same SSL VPN group.</P><P></P><P>My question is can we configure our ACS 4.1 in such way that it is context sensitive? Knows where the user is coming from and places the user in the right group accordingly?</P><P></P><P>We use LDAP group mappings and they are very static. </P><P></P><P>Any ideas?</P><P></P><P>Kind regards,</P><P>Rutger</P> Sun, 10 Mar 2019 22:05:56 GMT Rutger Blom 2019-03-10T22:05:56Z https://community.cisco.com/t5/network-access-control/same-user-in-different-acs-groups/m-p/740923#M421031 <P>Hello</P><P></P><P>We have this scenario:</P><P></P><P>A user at home connects via SSL VPN is authenticated by Cisco ACS/RADIUS. User ends up in a specifig SSL VPN group on the ACS. This group is configured with specific properties for SSL VPN.</P><P>Now the same user comes to work with his/her private laptop and wants to access the guest wlan which our policy allows. We have a WLC4402 providing the guest wlan. User opens browser and logs in to the guest wlan, gets authenticated on the Cisco ACS/RADIUS and ends up in the same SSL VPN group.</P><P></P><P>My question is can we configure our ACS 4.1 in such way that it is context sensitive? Knows where the user is coming from and places the user in the right group accordingly?</P><P></P><P>We use LDAP group mappings and they are very static. </P><P></P><P>Any ideas?</P><P></P><P>Kind regards,</P><P>Rutger</P> Sun, 10 Mar 2019 22:05:56 GMT https://community.cisco.com/t5/network-access-control/same-user-in-different-acs-groups/m-p/740923#M421031 Rutger Blom 2019-03-10T22:05:56Z https://community.cisco.com/t5/network-access-control/same-user-in-different-acs-groups/m-p/740924#M421032 <HTML><HEAD></HEAD><BODY><P>With ACS v4.1 and NAP, externally authenticated users get a user record for each NAP they authenticate against.</P><P></P><P>As each NAP may have its own external authenticator config, db mappings and authorisation - it should be totally possible.</P><P></P><P>The trick is setting up the NAPs to trigger on RADIUS requests of the appropriate type.</P></BODY></HTML> Mon, 16 Apr 2007 13:45:57 GMT https://community.cisco.com/t5/network-access-control/same-user-in-different-acs-groups/m-p/740924#M421032 darpotter 2007-04-16T13:45:57Z https://community.cisco.com/t5/network-access-control/same-user-in-different-acs-groups/m-p/740925#M421034 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I didn't know this was possible using NAPs. Triggering the NAPs could in our case be done by specifying the NAS IP users come from. </P><P>I will test with NAPs and come back to you.</P><P></P><P>Kind regards,</P><P>Rutger</P></BODY></HTML> Mon, 16 Apr 2007 18:04:09 GMT https://community.cisco.com/t5/network-access-control/same-user-in-different-acs-groups/m-p/740925#M421034 Rutger Blom 2007-04-16T18:04:09Z