Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
4
Replies

Issue with Shared NAR

Sohail Muhammad
Level 1
Level 1

‎07-06-2013 07:10 AM - edited ‎07-04-2021 12:21 AM

Hi All,

I have WLC 5508 which is integrated to ACS 4.2 and MS AD. User Groups are mapped on ACS. Each groups is assigned to a SSID. Now, I want to restrict user of each group to come up with the corresponding SSID. I have 4 x SSIDs & Groups as

- Corp

- IT

- VIP

- Consultant

I have configured Shared NARs for each Group with CLI as ANY and DNIC as corresponding SSID. For a user, who is a member of single group is authenticated successfully. But if a user is member of multiple groups, I am getting following error.

Message-Type

User-Name

Group-Name

Authen-Failure-Code

NAS-Port

NAS-IP-Address

Filter Information

EAP Type

EAP Type Name

Reason

Access Device

Network Device Group

Authen failed

meraas\wlan.test01

VIP_AD_Group

Users Access Filtered

meraas\wlan.test01

172.30.1.10

No Filters activated.

25

MS-PEAP


EMAAR3-WL-CONTROLLER-01

WLC

Following are the screenshots of what I have configured on ACS on Shared NAR

I have mapped 2 of the Shared NARs on User's Advanced settings to allow if any of the NARs results in permit.

Following is the group mappings for the domain.

Further, I have also configured NARs on each group for the users who member of only one group. That is working fine. But whenever a user who is member of 2 groups tries to authenticate, I am getting the mentioned error. Looking forward for help.

Regards,

Sohail

Labels:
0 Helpful
4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

‎07-06-2013 07:31 AM

Sohail,

Screen shots are not attached. Could you please post them again.

Wlan.test01 user is being assigned to VIP_AD_GROUP group on ACS and I'm sure that group is configured for some other SSID, that is why you're getting denied with User Access Filtered.

Could you please tell me Wlan.test01 user is part of what all AD groups?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Sohail Muhammad
Level 1
Level 1
In response to Jatin Katyal

‎07-06-2013 09:06 PM

Above are the screenshots.

Sohail

0 Helpful

Sohail Muhammad
Level 1
Level 1
In response to Jatin Katyal

‎07-06-2013 09:10 PM

wlan.test01 is the member of VIP & Corp groups only.

Sohail

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Sohail Muhammad

‎07-07-2013 09:56 PM

Hi Sohail,

The user wlan.test01 is getting the right group VIP_AD_GROUP. However, it seems your NAR setting are configured on user and group setup both. You need to disable NAR on the user wlan.test01 by editing the user and unchecking "only allow network access when" the third screen shot shows that settings. Only enable NAR on groups like you have configured in first and second screen shots for VIP and CORP. Disable it on user setup and try again it should work without any issues.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card