I could create NT Group Mapping. Where to create NAR? I could find only the below settings under Shared Profile Components.

Shell Command Authorization Set

PIX Command Authorization Set

Thanks

Hi,

Yeah in ACS 3.1 its under the Shared Profile Components page. In ACS 4.1 its directly under the user groups or under SPC page.

You need to check the box for "define ip based access restriction" and deny access for all other groups to the wireless access points network device group.

In the NAR

1. Denied Calling/Point of access restrictions

2. AAA Clients = Wireless access points(whatever u called your network device group for wireless)

3. Port = just put a * for all

4. Src IP address = just put a * as well

Click submit to save it.

Go to the ACS User groups section and select all the group " that don't need access to wireless" and apply the NAR you created to that group. The section is called Network Access Restrictions (NAR) under the group area.

Hope this helps and let me know if you need further assistance or explanation.

Craig

Currently I have configured my ACS with Active Directory. Users who has set Dialin Permissions can connect to Access Points.

Now I have created a Windows group in domain with 5 members in it and I have mapped that group in ACS to group 10.

Now I want only the members of the group to connect to Access point. How do I do that?

I tried the NAR settings but did not work.

Hi,

I'm pretty sure that NAR's will work for this.

You need to deny all other groups access to the access points. So if you have 9 other groups other than the "group 10", you need to apply the deny NAR to each group.

Under Groups 1-9 create a NAR to deny calling/point to the access points (network device group) and just put * for port and address. You'll need to submit and restart for the changes to take affect. The box will no allow authentications at the time of the restart so do it when the system is not busy.

I hope I understood your question right, but if not just let me know.

Craig

Therea are 500 default ACS groups and its not a practical solution to add NAR to all the 500 groups.

I'm sorry that I couldn't have a better answer for you right now. If I come across another fix I'll post it on the forum.

Craig

Hi

With ACS v3.1 you do not have much options, but if you upgrade to ACS v4.1 you can implement Network Access Profile.

by this you can authorize a group to particular network devices and deny access to other groups.

following link can give more detail:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html

: Rohit

assign group-mappings to associated NT group and scroll down to group name.

In group name, go to "Per Group Defined Network Access Restrictions", Check the box to implement group NAR, assign the access points to the to this group with AP1 * *. . Scroll down to Denied Calling/Point of Access Location.

Hope this helps.

Dwane

I am using ACS 3.1 so can not use Network Access Profile. I used the following method which works fine for me. Correct me if I am wrong.

1. Edit the ACS "0 default group" settings. Under NAR, select the check box, Only allow network access when--but do not add any NAR. Please go thru the attachment.

2. Define a NAR to permit access for Network device group "Wireless Access Point"

3. Map a Windows group to ACS group and add that NAR to the group.