11-10-2012 09:14 PM
I am trying to configure our wireless access to require a user be a member of an AD group. I'm using Cisco ACS 4.2 and have followed this KB - http://support.arubanetworks.com/ArubaOSKB/tabid/111/Default.aspx. My issue is it's still allowing everyone to authenticate successfully even though they are not a member of the group.
I can't see anywhere in the logs why it would be successful when the user isn't in the group. My test user "jmkrueger" is not a member of the required group but still gets the authenticated user role.
Anyone help point out what I'm missing?
11-10-2012 10:16 PM
I've somewhat figured out my problem but it doesn't necessarily make sense to me how the controller is handling this.
The default group (in ACS) that my test user was in was not setup to return any value for "Filter-ID" which to me means the authentication would fail since I thought it would be looking for the "allowaccess" attribute. It seems that if there is not a attribute returned the user is allowed access instead of denied.
To fix it I set it up to the default group to return a "denyaccess" for Filter-ID and then added a second server rule looking for that and assigning the denyall role.
11-11-2012 03:55 AM
You are doing it correctly. The only other way is if the ACS server finds that a user is NOT in an AD group, it would not return a positive result and signal to the controller access-reject.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base