https://community.cisco.com/t5/wireless/wireless-authentification-acs-to-ad-group-mapping-issue/m-p/839775#M29412 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Not sure if this is your issue, but in ACS there is a default policy if they do not authenticate. You can set this to deny, local authentication, or if authenticating to devices have it go to a group with no priviliges. I am thinking that it is set to authenticate automatically. </P></BODY></HTML> Wed, 31 Oct 2007 22:04:02 GMT nathan.haley 2007-10-31T22:04:02Z https://community.cisco.com/t5/wireless/wireless-authentification-acs-to-ad-group-mapping-issue/m-p/839774#M29411 <P>Hi, </P><P>we have the following implementation: </P><P>Cisco Access Points mainly 1200 series and 1130, Cisco ACS v.4.1, and MS Active Directory. </P><P></P><P>I've used a self generated Certificate on the Cisco ACS, and installed it on the local PC, also linked Cisco ACS with AD, with a group mapping for allowing access to WLAN. </P><P></P><P>I got two group mapping in ACS to two domain group in Active Directory:</P><P>ACS -Group 1 = AD -Wifi_student </P><P>ACS -group 2 = AD -Wifi_employe</P><P></P><P>when a user is not in the both domain group(AD) try to authenticate, the user pass the authentification. it suppose to fail. Only the user in the group a alllow to authenticate.</P><P></P><P>do you think it is a bug of ACS 4.1 ?</P><P>do you think it is a misconfiguration of the windows policy ?</P><P>do you think to create local group instead domin group</P> Sat, 03 Jul 2021 21:51:46 GMT https://community.cisco.com/t5/wireless/wireless-authentification-acs-to-ad-group-mapping-issue/m-p/839774#M29411 dcoulanges 2021-07-03T21:51:46Z https://community.cisco.com/t5/wireless/wireless-authentification-acs-to-ad-group-mapping-issue/m-p/839775#M29412 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Not sure if this is your issue, but in ACS there is a default policy if they do not authenticate. You can set this to deny, local authentication, or if authenticating to devices have it go to a group with no priviliges. I am thinking that it is set to authenticate automatically. </P></BODY></HTML> Wed, 31 Oct 2007 22:04:02 GMT https://community.cisco.com/t5/wireless/wireless-authentification-acs-to-ad-group-mapping-issue/m-p/839775#M29412 nathan.haley 2007-10-31T22:04:02Z https://community.cisco.com/t5/wireless/wireless-authentification-acs-to-ad-group-mapping-issue/m-p/839776#M29413 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Not sure if this is your issue, but in ACS there is a default policy if they do not authenticate. You can set this to deny, local authentication, or if authenticating to devices have it go to a group with no priviliges. I am thinking that it is set to authenticate automatically from the domain in general if the groups fail and maps to the default group policy. (in ACS)</P><P></P><P>I was able to create a group in AD authenticate to it and set the default behavoir to deny if it did not auth to that group or locally on the ACS server</P></BODY></HTML> Wed, 31 Oct 2007 22:05:10 GMT https://community.cisco.com/t5/wireless/wireless-authentification-acs-to-ad-group-mapping-issue/m-p/839776#M29413 nathan.haley 2007-10-31T22:05:10Z