Wireless Access

Reply
Occasional Contributor I

Wireless authentication group membership - Cisco ACS

I am trying to configure our wireless access to require a user be a member of an AD group. I'm using Cisco ACS 4.2 and have followed this KB - http://support.arubanetworks.com/ArubaOSKB/tabid/111/Default.aspx. My issue is it's still allowing everyone to authenticate successfully even though they are not a member of the group. 

 

I can't see anywhere in the logs why it would be successful when the user isn't in the group. My test user "jmkrueger" is not a member of the required group but still gets the authenticated user role.

 

Anyone help point out what I'm missing?

 

Thanks,

Justin

 

Occasional Contributor I

Re: Wireless authentication group membership - Cisco ACS

I've somewhat figured out my problem but it doesn't necessarily make sense to me how the controller is handling this.

 

The default group (in ACS) that my test user was in was not setup to return any value for "Filter-ID" which to me means the authentication would fail since I thought it would be looking for the "allowaccess" attribute. It seems that if there is not a attribute returned the user is allowed access instead of denied. 

 

To fix it I set it up to the default group to return a "denyaccess" for Filter-ID and then added a second server rule looking for that and assigning the denyall role. 

Guru Elite

Re: Wireless authentication group membership - Cisco ACS

You are doing it correctly.  The only other way is if the ACS server finds that a user is NOT in an AD group, it would not return a positive result and signal to the controller access-reject.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: