10-30-2006 02:21 PM - edited 03-10-2019 02:49 PM
Hi, can you help me on this ?
Cisco ACS 3.3.
Goal:I want to allow only users members of security group 'myActiveDirectoryDomain\WirelessACS' be able to authenticate.
I am doing this in a lab environment before going into production:
On ACS 3.3, I mapped a group named "ACSWireless". I created the respective group "DomainWireless" in active directory.
My question is:
On ACS 3.3, which option should I pick under "Interface Configuration" in order to configure the options on ACS which will allow the AAA client 'Access Points' to gain access ? I found an option for VPN, but not wireless. That's not very clear to me.
On "Group setup", I ended up with
options "Jump to" Access Restrictions,
IP Address Assignment, RADIUS (Cisco IOS/PIX)
and RADIUS IETF.
I don't see anything explicit there for 'wireless' or
access points.
Your direction on this would be really appreciated. Please find attached screenshots showing how my configuration looks like.
10-30-2006 06:43 PM
Let me add that I am trying to make the ACS authenticate users through LEAP.
On the respective Access Point 1200, "Express Security" menu, I already informed the ACS server IP address there.
11-30-2006 10:08 AM
If i understood right you want a specific group in ACS database to be allowed to authenticate only against a single NAS or NDG.
I have done this the following way:
I created a NDG (Network Device Group) called Wireless APs. I added every AP in this group. The you go to the group setup and edit the group settings. Check the "Per Group Defined Network Access Restrictions" and add your NDG containing the wireless APs. Use "*" wildcard for port and address filters so your clients should be allowed to connect to every AP on every port. That's all. You can test this by not including an AP in the NDG. Clients connecting to that AP shouldn't be allowed to connect because NAR is in place and this AP is not in the allowed list.
If you can't create NDGs then go to Interface configuration / Advanced options and check the Network Device Group option (not enabled by default).
If you don't see "Network Access Restrictions" on the group settings page then go again to Interface Configuration / Advanced Options and check the "Group-Level Network Access Restrictions" (also not enabled by default).
11-30-2006 12:08 PM
Hi
When you said "I want to allow only users members of security group 'myActiveDirectoryDomain\WirelessACS' be able to authenticate" did you mean all other AD users should *not* ?
If this is the case, edit the group mappings to map all other AD groups to "no access".
Any AD user who is not in the correct group will get rejected.
If you're going to use NARs make sure you use DNIS/CLID NARs at these are Layer 2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide