09-05-2013 08:19 AM - edited 03-10-2019 08:52 PM
I feel stupid asking this question as I think it should be an easy, but I cannot figure it out. I'm new to Cisco Secure ACS and it was in place when I started my current job, so I was not the one who configured it.
We use our ACS for wireless access. Active Directory is linked to the ACS and the selected groups are Domain Users and Domain Computers. As we sit right now, every enabled AD user has access to the wireless. This makes sense to me, since the entire Domain Users group is selected. We want to create a new group, say Deny Wireless, and put service and generic accounts in this group. That way any normal user account can have wireless access, but the few other accounts are denied.
The other way I'm thinking this may work without changing a whole lot, would be if we just created a new group called Wireless Access and put all users that we wanted to have access in this group. Then instead of having the Domain Users group selected in ACS, we just select the Wireless Access group.
Please let me know the best way to do this. Thanks!
09-10-2013 06:59 AM
Logan,
I believe it is best to use the AD groups to control access, once you have you Access Policies configured. Sounds like your on the right track.
09-10-2013 09:14 AM
ACS supports the authentication of computers that are running the Microsoft Windows operating systems that support EAP computer authentication. Machine authentication, also called computer authentication, allows networks services only for computers known to Active Directory. This feature is especially useful for wireless networks, where unauthorized users outside the physical premises of your workplace can access your wireless access points.
When machine authentication is enabled, there are three different types of authentications. When starting a computer, the authentications occur in this order:
•Machine authentication—ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows identity store. If you use Active Directory and the matching computer account in AD has the same credentials, the computer gains access to Windows domain services.
•User domain authentication—If machine authentication succeeded, the Windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. In this case, the user can log in to only the local system. When a user is authenticated by cached credentials, instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.
Please Check the below link for active directory joining and managing users and groups
09-10-2013 11:15 AM
Hi Logan,
I am also with Rashid. Having Access Policies configured will solve your case. Below is the link that might help you.
09-10-2013 12:53 PM
Thanks for the responses. I'll check out the 2 links and try to get the groups set up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide