Currently trying to set up the above so that if an access service is not matched
then it will go to the next one.
Looking at the logs what happens is - our auth is set to AD so it matches
that - then it isnt in the correct ext AD group and goes to default deny access.
Cant see how to get around this - the only continue command is in the advanced
area of the auth - but i cant set up ext ad groups on the auth.
How do i get this to move between access services if it doesnt match the ext AD
group or NDG
Is the user still present in another database also or did you setup a user with the same username on the internal database? Usually you dont have to use another access service unless you are switching protocols such as tacacs or radius.
You can set another authorization rule (within the same access policy) so that if the user doesnt match the first AD group then you can go down to the one that matches and set the result.
So Tarik what you are basically saying is that -
If you are using TACACS then you should really use one access service with a number of rules on it.
However is we are also using RADIUS is when we should have another access service for that.
Yes the built in service selection rules come out of the box this way.
In you scenario if you have multiple ad groups and have a requirement on how these group will be authorized within the network, you will first create a policy element in which the authorization profile will be defined for example:
We will define a policy called sales, in it will have the radius av pairs that assign vlan 10, another policy called marketing and the av pairs for vlan 20 are defined.
When you build your access policy you will go to authorization and select the customize button on the bottom right and choose the external groups option by moving it from the left over to the right. When you create your authorization rule you can pick the ad group and select either the sales or marketing authorization profile you created under the results.
Sent from Cisco Technical Support iPad App