ACS Dynamic Group Assignment

Discussion in 'Cisco' started by jo, Feb 28, 2005.

  1. jo

    jo Guest

    Hi,

    I have a site where users have the option to either dial in, dial in and be
    dialed back or to VPN via PPTP to a 3005 concentrator. All user
    authentication is provided by a Cisco Secure ACS (v3.1). Users are placed
    into groups depending on their access needs, so example John will be in the
    Dial Back group, so when he dials into the RAS Router his group gets mapped
    dynamically from the ACS server depending on what NT group he is in.

    I have groups coinfigured on the ACS in the following order:

    VPN
    Dial-In
    DialBack

    My problem comes when I have users that are in both the VPN AND DialBack
    groups, when one of these users dial in the ACS checks against the groups
    top to bottom in that list,on a first match basis, and matches the VPN group
    first. This allows the user to dial in, but they never get assigned to the
    DialBack group (the ACS logs show them assigned to the VPN group for that
    connection.)

    I tried to change the sequence of the groups within ACS putting the DialBack
    first and VPN second, but this didnt have the desired effect dialBack users
    were called back but VPN connections werent being allowed.

    Does anyone have an idea what I need to do to get this working, so when a
    user from DialBack AND VPN groups dials into the RAS Router, they get called
    back, and if they start a PPTP connection they get authenticated without an
    error.

    Does anyone out there have a similar setup and can shed any light on the
    matter?

    Cheers,
    Jo
     
    jo, Feb 28, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.