Hi all,

I've ACS 3.3(1) on W2K platform.

I've made varius test for AAA of network device TACACS+ administration and RADIUS aithentication for VPN, WI-FI peap and RAS users.

All with a mapping between ACS's groups and Microsoft DB's group. All users was created dynamically on ACS db.

All work fine!

Then... My question is:

My customer want to use only one (or two but replicated) ACS for all those services.

On Windows DB the username is only one in this format "surname".

I made those mapping:

ACS group <-> Microsoft group

net-admin <-> domain/netadmin

net-operator <-> domain/netoperator

wifi-users <-> domain/wifi

vpn-users <-> domain/vpn

ras-users <-> domain/ras

And checked the "Unknown Users Policy"...

ACS list all'groups mapped for authentication and stop at the first gruop that contains this username... but all'other services are never granted...

For example if a user with username "Goldrake" are authenticated for wi-fi... this username could never

be aithenticated for RAS or VPN....

Then: Can I force ACS to control authentication on some group only for some devices (NAS server) and other groups for other devices?

ex:

- Wi-fi request from acces point authenticated only in WiFiGroup

- RAS service from NAS authenticated only on RAS group ....

- and so on ....

I hope that it is all clear... :-)

Sorry for my bad english

Thanks ALL!!!

Graz.