Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
5
Helpful
4
Replies

ACS 4.2 and Windows Policies.

jacovr
Level 1
Level 1

‎02-14-2013 01:58 AM - edited ‎07-03-2021 11:32 PM

Hi

I need to setup ACS 4.2 to enable users to authenticate on AD (Windows 2003 Server) to access my Wireless Network via Radius, to access the Routers & switches via TACACS+, and use VPN connection to access the network remotely.

Currently i have the ACS talking to the Windows Server & the Routers/Switches & COntroller talking to the ACS.

However, i need to configure policies on the AD or ACS, to only allow certain users (Based on user groups on AD, I suppose) to have certain access on the network (WiFi or VPN or TACACS+ or both).

And this is where I got stuck.  currently the users have access to evertything regardsless of what groups they belong to on AD.

Any point in the right direction will be appreciated.

Regards

Jaco                

Labels:
0 Helpful
4 Replies 4

kcnajaf
Level 7
Level 7

‎02-14-2013 03:25 AM

Hi Jaco,

I hope you can achive this by creating ACS groups and AD groups. Then maps these groups. For example

Let us assume the two groups on AD are 1)Wireless and 2)VPN

To achieve this

1. We can create 3 groups on the ACS (1) Wireless , 2) VPN & 3) Wireless+VPN

2. Then in Windows group mapping   Wireless+VPN (on ACS) MAPs to two groups Wireless on AD and VPN on AD,  then Wireless(ACS) maps to (Wireless on AD), VPN (ACS) maps to (VPN) on AD

3. Ensure that the Mapping order should be in the following order:  

1) Wireless+VPN group (on ACS) MAPs to two groups on AD Wireless on AD and VPN on AD.  

2) Wireless(ACS) maps to (Wireless on AD).  

3) VPN (ACS) maps to (VPN)

Hope that helps.

Najaf

Please rate when applicable or helpful !!!

Amjad Abdullah
VIP Alumni
VIP Alumni

‎02-18-2013 10:50 PM

+ 5 Najaf.

Jaco: you need to integrate the ACS with the AD and map AD groups to ACS groups.

check this link for group mapping: http://tiny.cc/ykqqsw

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

jacovr
Level 1
Level 1

‎02-20-2013 01:00 AM

Thanks Guys.

I got that part working.

When connecting, the user gets placed (On the ACS) in the group specified by the AD Account.

The issue that I have now, is that, after  the user authenticate & connect once, he has access to the network, regardless in which group he is in or whether his account is disabled or not.

regards

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to jacovr

‎02-20-2013 02:48 AM

You mean after they connect once they are able to connect even if the AD account is disabled?

if that is correct then try to disable dynamic account on the ACS.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card