Showing results for 
Search instead for 
Did you mean: 

ACS 4.2 authentication issue


i have created two ssid on WLC & authentication Via ACS to AD. after that i have configure TACACS+ on same ACS Server but some of the users can login in Wi-Fi which are not in member of Wi-Fi group.

Please find the below ACS configuration.

Group 1 >>>>  HIgh managemnet Users  " this user can login in SSID 1"

Group 3 >>>> Corporate User    "this users can login in SSID 2"

In group configuration i have configure DNIS/CLI based configuration.

AAA client select

Port *



same configuration for SSID 2

after that i have creat two more group for TACACS + for Device authentication (Shell command based) (Authentication through AD)

Group 5 >>>> Full Access

Group 6 >>>> Read Only Access.

but now what ever user are in group 5 & 6 those are login in Wifi.

how to stop them?

Scott Fella
Hall of Fame Master

You need to see what policy these users are hitting. It seems like there is a policy that might be higher that these users are hitting and not what you want to use. Clear the counters and check the log and test. Radius and Tacacs are separate and has nothing to do with each other. You might want to post some screen shots of your ACS so we can see what you have setup.

Sent from Cisco Technical Support iPhone App

*** Please rate helpful posts ***

I have configure above setting for SSID 1 in Group 1 & MAP security group (with AD) with Group 1 in external Database.

I have configure above setting for SSID 2 in Group 3 & MAP security group (with AD) with Group 3 in external Database.

till the time user maped in Group 3 is not login in group1 SSID.

after that i have configure TACACS + on same server with

Group 5 >>>> Full Access ( Shell command authorization Set)

Group 6 >>>> Read Only Access.( Shell command authorization Set)

Exp. hparekh is member of Group 6 & Group 3 but now it is login in Group 1 SSID.

Please find the External database setting

hparekh users is member of Group 1 & Group 6 when he login in Wi-Fi he is authenticated through Group 6 & all the users of group 6 is login in Wi-fi since those are not member of any Wi-Fi group.

Amjad Abdullah


By default any groups is allowed to Wi-Fi unless you explicitly prevent it. For groups 5 & 6 not to connect to any SSID, you need to create CLI/DNIS filter to DENY access to all SSIDs. (or you can try creating an IP-based filter and DENY access to the WLC devices. This only works correctly if you do not use ACS to provide management access to the WLC/WLCs or else the management access will also be denied from the denied groups).



Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"


if i am block the SSID in Group 5  & 6 then i am unable to connect any SSID which i am member of Group 1 SSID.

What do you mean by that? How can a user be a member of two groups at the same time? That is not possible with your version.

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
Content for Community-Ad