07-14-2006 06:34 AM - edited 03-10-2019 02:39 PM
Win2003 active directory.
I am planning to create a Windows security group (global) "WirelessUsers" and a group named "VPNUsers".
Then I would need to go to ACS 3.3 and need to configure mapping to allow such groups to access wireless and VPN respectively. Users which are not members of such groups should not have access to VPN or wireless.
Few questions
1) Can you point me to a documentation which shows a similar configuration ?
I have browsed the Cisco website and so far I have seen the section "Set group membership" http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00802335ee.html
But I did not see "how to" sections showing how I can grant VPN or wireless permissions for a certain Windows active directory security group.
2) I see that the latest version of ACS is 4.0 ? Anyone out there is using ACS 4.0, is that a stable product or should I be OK with ACS 3.3 ?
07-14-2006 07:55 AM
Essentially what you will have to do is create Network Access Restrictions for each group in ACS:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
So for example, you have two AD groups and two ACS groups: AD_VPN and AD_Wireless, ACS_VPN and ACS_Wireless.
If you're Database Group Mapping, you'll have:
- AD_VPN maps to the ACS_VPN group
- AD_Wireless maps to the ACS_Wireless group
Then in your ACS_VPN group, you would create a network access restriction which states that users in this group can ONLY authenticate to your VPN headend. Similarly with wireless, the ACS_Wireless group has it's own NAR that restricts access to only Wireless APs.
So what happens is, when a user who is only in the AD_VPN group in Active Directory tries to VPN in, he/she gets mapped to the ACS_VPN group, authenticates successfully, and is given VPN access. If this same user tries to log into wireless, he/she will still get mapped to the ACS_VPN group, but because of the NAR applied to that group, will be denied access. Similarly, this goes for wireless users.
I hope this is the functionality that you were looking for.
Sincerely,
Annie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide