Hi, I have a site where users have the option to either dial in, dial in and be dialed back or to VPN via PPTP to a 3005 concentrator. All user authentication is provided by a Cisco Secure ACS (v3.1). Users are placed into groups depending on their access needs, so example John will be in the Dial Back group, so when he dials into the RAS Router his group gets mapped dynamically from the ACS server depending on what NT group he is in. I have groups coinfigured on the ACS in the following order: VPN Dial-In DialBack My problem comes when I have users that are in both the VPN AND DialBack groups, when one of these users dial in the ACS checks against the groups top to bottom in that list,on a first match basis, and matches the VPN group first. This allows the user to dial in, but they never get assigned to the DialBack group (the ACS logs show them assigned to the VPN group for that connection.) I tried to change the sequence of the groups within ACS putting the DialBack first and VPN second, but this didnt have the desired effect dialBack users were called back but VPN connections werent being allowed. Does anyone have an idea what I need to do to get this working, so when a user from DialBack AND VPN groups dials into the RAS Router, they get called back, and if they start a PPTP connection they get authenticated without an error. Does anyone out there have a similar setup and can shed any light on the matter? Cheers, Jo
