07-06-2013 07:10 AM - edited 07-04-2021 12:21 AM
Hi All,
I have WLC 5508 which is integrated to ACS 4.2 and MS AD. User Groups are mapped on ACS. Each groups is assigned to a SSID. Now, I want to restrict user of each group to come up with the corresponding SSID. I have 4 x SSIDs & Groups as
- Corp
- IT
- VIP
- Consultant
I have configured Shared NARs for each Group with CLI as ANY and DNIC as corresponding SSID. For a user, who is a member of single group is authenticated successfully. But if a user is member of multiple groups, I am getting following error.
Message-Type | User-Name | Group-Name | Authen-Failure-Code | NAS-Port | NAS-IP-Address | Filter Information | EAP Type | EAP Type Name | Reason | Access Device | Network Device Group |
Authen failed | meraas\wlan.test01 | VIP_AD_Group | Users Access Filtered | meraas\wlan.test01 | 172.30.1.10 | No Filters activated. | 25 | MS-PEAP | EMAAR3-WL-CONTROLLER-01 | WLC |
Following are the screenshots of what I have configured on ACS on Shared NAR
I have mapped 2 of the Shared NARs on User's Advanced settings to allow if any of the NARs results in permit.
Following is the group mappings for the domain.
Further, I have also configured NARs on each group for the users who member of only one group. That is working fine. But whenever a user who is member of 2 groups tries to authenticate, I am getting the mentioned error. Looking forward for help.
Regards,
Sohail
07-06-2013 07:31 AM
Sohail,
Screen shots are not attached. Could you please post them again.
Wlan.test01 user is being assigned to VIP_AD_GROUP group on ACS and I'm sure that group is configured for some other SSID, that is why you're getting denied with User Access Filtered.
Could you please tell me Wlan.test01 user is part of what all AD groups?
~BR
Jatin Katyal
**Do rate helpful posts**
07-06-2013 09:06 PM
Above are the screenshots.
Sohail
07-06-2013 09:10 PM
wlan.test01 is the member of VIP & Corp groups only.
Sohail
07-07-2013 09:56 PM
Hi Sohail,
The user wlan.test01 is getting the right group VIP_AD_GROUP. However, it seems your NAR setting are configured on user and group setup both. You need to disable NAR on the user wlan.test01 by editing the user and unchecking "only allow network access when" the third screen shot shows that settings. Only enable NAR on groups like you have configured in first and second screen shots for VIP and CORP. Disable it on user setup and try again it should work without any issues.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide