05-10-2010 02:03 AM - edited 03-10-2019 05:07 PM
Dear all
I have an ACS running 4.2 ver.We have integrated this with AD as well.
We had created some groups in acs for vpn and its is dynamically mapped with respective department.Its working fine know.
We have designed wireless implementation here with dynamic vlan assignment.
This is not working beacause user is already a member of one group in acs.I know that i can edit that group and do the wireless parameter settings.
But i would like to know wheather the user can be a member of multiple group or user will be associated with first group.
If we have an option for the user to be in a multliple group how can we do this.
If any one has faced this issue pls reply me at the earliest.
regards
-Danish
05-10-2010 03:51 AM
The ACS will map the user to a group on a first come, first serve basis. This is the behavior or 4.x. On 5.x though you can do nested grouping etc, but if you have to user being allocated the same attributes twice with different values only one of them will be chosen. On 5.x I am not sure if it's the first or the last.
05-10-2010 04:21 AM
Its a bit long winded, but by using multiple Network Access Policies (NAP) in ACS 4.2 you can create specific windows group mappings per NAP.
The NAP is selected dynmically by NAS IP, or NDG or any content within the incoming RADIUS packet. So usually its possible to match on something. NAPs may also have chunks of re-usable RADIUS attributes (Shared Radius Authorisation Components) which can be used instead of setting RADIUS attributes at group level - can reduce the management overhead.
Its not a perfect solution, but should get to where you need to be without having to upgrade.
Facing an ACS audit? Find out how aaa-reports! can help at www.extraxi.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide