cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
441
Views
0
Helpful
2
Replies

acs & restrictions

aram_galestian
Level 1
Level 1

Hi..

Im trying to understan the way acs working with group maping to Active Directory.

What i wan to achive is

1- to have AD group for Wireless users

who are permitet to authenticate and use WLAN

2-to have AD group for VPN users who are permitet to authenticate and use VPN

3-To have AD group for Switch Admin who are permitet to authenticate and manage LAN switches.

For exmeple Some users members i vpn group need as well be member of wireless group in AD..

Is that posible to have? or do i need to setup additionl ACS server for each

2 Replies 2

jhillend
Level 1
Level 1

First, you will need to have ACS 4.0 or above.

Next, you need to set up group mapping for AD with the following:

AD group wireless = W

AD group VPN = V

AD group Switch mgmt = S

ACS group 1 = W V S

ACS group 2 = W V

ACS group 3 = W S

ACS group 4 = V S

ACS group 5 = W

ACS group 6 = V

ACS group 7 = S

These MUST be set up in the described order.

Note - for 3 non-exclusive AD groups you need to configure 7 ACS groups. This problem will be alleviated in ACS 5.x

Now, in each ACS group mapped with W have a NAR that permits access to the wireless devices, V with a NAR that permits access to VPN devices and S with a NAR that permits access to the switches, such that:

ACS group 1: NAR_w, NAR_v, NAR_s

ACS group 2: NAR_w, NAR_v

and so on.

Thanks for very good answer im running acs 4.1 wich raise some other questions for me.. :)

1- What will happen if i would apply the Downloadle ACL i would have only for vpn users on

ACS group 1 = W V S

2- Do you know when the version 5.0 will be released..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: