https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229167#M217841 <HTML><HEAD></HEAD><BODY><P>Hi Sohail,</P><P></P><P>The user wlan.test01 is getting the right group VIP_AD_GROUP. However, it seems your NAR setting are configured on user and group setup both. You need to disable NAR on the user<STRONG> wlan.test01</STRONG> by editing the user and unchecking "<STRONG>only allow network access when</STRONG>" the third screen shot shows that settings. Only enable NAR on groups like you have configured in first and second screen shots for VIP and CORP. Disable it on user setup and try again it should work without any issues.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 08 Jul 2013 04:56:32 GMT Jatin Katyal 2013-07-08T04:56:32Z https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229163#M217837 <P>Hi All, </P><P></P><P>I have WLC 5508 which is integrated to ACS 4.2 and MS AD. User Groups are mapped on ACS. Each groups is assigned to a SSID. Now, I want to restrict user of each group to come up with the corresponding SSID. I have 4 x SSIDs &amp; Groups as</P><P></P><P>- Corp</P><P>- IT</P><P>- VIP</P><P>- Consultant</P><P></P><P>I have configured Shared NARs for each Group with CLI as ANY and DNIC as corresponding SSID. For a user, who is a member of single group is authenticated successfully. But if a user is member of multiple groups, I am getting following error.</P><P></P><TABLE border="1" cellpadding="0" cellspacing="0" height="43" style="margin-left: 4.8pt; border-collapse: collapse; border: medium none; width: 1312px;"><TBODY><TR style="height: 15.0pt;"><TD nowrap="nowrap" style="width: 54.8pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="73"><P style="margin-bottom: .0001pt; line-height: normal;">Message-Type</P></TD><TD nowrap="nowrap" style="width: 76.5pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="102"><P style="margin-bottom: .0001pt; line-height: normal;">User-Name</P></TD><TD nowrap="nowrap" style="width: 59.5pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="79"><P style="margin-bottom: .0001pt; line-height: normal;">Group-Name</P></TD><TD nowrap="nowrap" style="width: 1.25in; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="120"><P style="margin-bottom: .0001pt; line-height: normal;">Authen-Failure-Code</P></TD><TD nowrap="nowrap" style="width: 81.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="108"><P style="margin-bottom: .0001pt; line-height: normal;">NAS-Port</P></TD><TD nowrap="nowrap" style="width: 63.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="84"><P style="margin-bottom: .0001pt; line-height: normal;">NAS-IP-Address</P></TD><TD nowrap="nowrap" style="width: 94.5pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="126"><P style="margin-bottom: .0001pt; line-height: normal;">Filter Information</P></TD><TD nowrap="nowrap" style="width: 45.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="60"><P style="margin-bottom: .0001pt; line-height: normal;">EAP Type</P></TD><TD nowrap="nowrap" style="width: .75in; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="72"><P style="margin-bottom: .0001pt; line-height: normal;">EAP Type Name</P></TD><TD nowrap="nowrap" style="width: 45.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="60"><P style="margin-bottom: .0001pt; line-height: normal;">Reason</P></TD><TD nowrap="nowrap" style="width: 117.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="156"><P style="margin-bottom: .0001pt; line-height: normal;">Access Device</P></TD><TD nowrap="nowrap" style="width: 63.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="84"><P style="margin-bottom: .0001pt; line-height: normal;">Network Device Group</P></TD></TR><TR style="height: 15.0pt;"><TD nowrap="nowrap" style="width: 54.8pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="73"><P style="margin-bottom: .0001pt; line-height: normal;"><SPAN style="color: #ff0000;">Authen failed</SPAN></P></TD><TD nowrap="nowrap" style="width: 76.5pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="102"><P style="margin-bottom: .0001pt; line-height: normal;">meraas\wlan.test01</P></TD><TD nowrap="nowrap" style="width: 59.5pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="79"><P style="margin-bottom: .0001pt; line-height: normal;">VIP_AD_Group</P></TD><TD nowrap="nowrap" style="width: 211.5pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="282"><P style="margin-bottom: .0001pt; line-height: normal;">Users Access Filtered</P></TD><TD nowrap="nowrap" style="width: 81.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="108"><P style="margin-bottom: .0001pt; line-height: normal;">meraas\wlan.test01</P></TD><TD nowrap="nowrap" style="width: 63.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="84"><P style="margin-bottom: .0001pt; line-height: normal;">172.30.1.10</P></TD><TD nowrap="nowrap" style="width: 157.5pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="210"><P style="margin-bottom: .0001pt; line-height: normal;"><SPAN style="color: #ff0000;">No Filters activated.</SPAN></P></TD><TD nowrap="nowrap" style="width: 45.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="60"><P align="right" style="margin-bottom: .0001pt; text-align: right; line-height: normal;">25</P></TD><TD nowrap="nowrap" style="width: .75in; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="72"><P style="margin-bottom: .0001pt; line-height: normal;">MS-PEAP</P></TD><TD nowrap="nowrap" style="width: 45.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="60"><BR /></TD><TD nowrap="nowrap" style="width: 117.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="156"><P style="margin-bottom: .0001pt; line-height: normal;">EMAAR3-WL-CONTROLLER-01</P></TD><TD nowrap="nowrap" style="width: 63.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 15.0pt;" valign="bottom" width="84"><P style="margin-bottom: .0001pt; line-height: normal;">WLC</P></TD></TR></TBODY></TABLE><P></P><P>Following are the screenshots of what I have configured on ACS on Shared NAR</P><P></P><P><IMG src="https://community.cisco.com/" /></P><P></P><P><IMG src="https://community.cisco.com/" /></P><P></P><P>I have mapped 2 of the Shared NARs on User's Advanced settings to allow if any of the NARs results in permit. </P><P></P><P> <IMG src="https://community.cisco.com/" /></P><P></P><P>Following is the group mappings for the domain.</P><P></P><P> <IMG src="https://community.cisco.com/" /></P><P></P><P> Further, I have also configured NARs on each group for the users who member of only one group. That is working fine. But whenever a user who is member of 2 groups tries to authenticate, I am getting the mentioned error. Looking forward for help.</P><P></P><P>Regards,</P><P>Sohail</P> Sun, 04 Jul 2021 07:21:37 GMT https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229163#M217837 Sohail Muhammad 2021-07-04T07:21:37Z https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229164#M217838 <HTML><HEAD></HEAD><BODY><P>Sohail, </P><P></P><P>Screen shots are not attached. Could you please post them again.</P><P></P><P>Wlan.test01 user is being assigned to VIP_AD_GROUP group on ACS and I'm sure that group is configured for some other SSID, that is why you're getting denied with User Access Filtered.</P><P></P><P>Could you please tell me Wlan.test01 user is part of what all AD groups?</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Sat, 06 Jul 2013 14:31:07 GMT https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229164#M217838 Jatin Katyal 2013-07-06T14:31:07Z https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229165#M217839 <HTML><HEAD></HEAD><BODY><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/9/0/8/144809-4.png" class="jive-image" /></P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/8/0/8/144808-3.png" class="jive-image" /><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/7/0/8/144807-2.png" class="jive-image" /><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/6/0/8/144806-1.png" class="jive-image" /></P><P></P><P>Above are the screenshots. </P><P></P><P>Sohail</P></BODY></HTML> Sun, 07 Jul 2013 04:06:59 GMT https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229165#M217839 Sohail Muhammad 2013-07-07T04:06:59Z https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229166#M217840 <HTML><HEAD></HEAD><BODY><P>wlan.test01 is the member of VIP &amp; Corp groups only.</P><P></P><P>Sohail</P></BODY></HTML> Sun, 07 Jul 2013 04:10:39 GMT https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229166#M217840 Sohail Muhammad 2013-07-07T04:10:39Z https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229167#M217841 <HTML><HEAD></HEAD><BODY><P>Hi Sohail,</P><P></P><P>The user wlan.test01 is getting the right group VIP_AD_GROUP. However, it seems your NAR setting are configured on user and group setup both. You need to disable NAR on the user<STRONG> wlan.test01</STRONG> by editing the user and unchecking "<STRONG>only allow network access when</STRONG>" the third screen shot shows that settings. Only enable NAR on groups like you have configured in first and second screen shots for VIP and CORP. Disable it on user setup and try again it should work without any issues.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 08 Jul 2013 04:56:32 GMT https://community.cisco.com/t5/wireless/issue-with-shared-nar/m-p/2229167#M217841 Jatin Katyal 2013-07-08T04:56:32Z