i have created two ssid on WLC & authentication Via ACS to AD. after that i have configure TACACS+ on same ACS Server but some of the users can login in Wi-Fi which are not in member of Wi-Fi group.
Please find the below ACS configuration.
Group 1 >>>> HIgh managemnet Users " this user can login in SSID 1"
Group 3 >>>> Corporate User "this users can login in SSID 2"
In group configuration i have configure DNIS/CLI based configuration.
AAA client select
same configuration for SSID 2
after that i have creat two more group for TACACS + for Device authentication (Shell command based) (Authentication through AD)
Group 5 >>>> Full Access
Group 6 >>>> Read Only Access.
but now what ever user are in group 5 & 6 those are login in Wifi.
how to stop them?
You need to see what policy these users are hitting. It seems like there is a policy that might be higher that these users are hitting and not what you want to use. Clear the counters and check the log and test. Radius and Tacacs are separate and has nothing to do with each other. You might want to post some screen shots of your ACS so we can see what you have setup.
Sent from Cisco Technical Support iPhone App
I have configure above setting for SSID 1 in Group 1 & MAP security group (with AD) with Group 1 in external Database.
I have configure above setting for SSID 2 in Group 3 & MAP security group (with AD) with Group 3 in external Database.
till the time user maped in Group 3 is not login in group1 SSID.
after that i have configure TACACS + on same server with
Group 5 >>>> Full Access ( Shell command authorization Set)
Group 6 >>>> Read Only Access.( Shell command authorization Set)
Exp. hparekh is member of Group 6 & Group 3 but now it is login in Group 1 SSID.
Please find the External database setting
hparekh users is member of Group 1 & Group 6 when he login in Wi-Fi he is authenticated through Group 6 & all the users of group 6 is login in Wi-fi since those are not member of any Wi-Fi group.
By default any groups is allowed to Wi-Fi unless you explicitly prevent it. For groups 5 & 6 not to connect to any SSID, you need to create CLI/DNIS filter to DENY access to all SSIDs. (or you can try creating an IP-based filter and DENY access to the WLC devices. This only works correctly if you do not use ACS to provide management access to the WLC/WLCs or else the management access will also be denied from the denied groups).
Rating useful replies is more useful than saying "Thank you"
What do you mean by that? How can a user be a member of two groups at the same time? That is not possible with your version.
Sent from Cisco Technical Support iPad App