Wireless Virtual LAN - SSID and ACS User Mapping

Similar Messages

• Single SSID and ACS

  Hi,
  I would like your help in the following scenario, we currently have a setup of CAS CAM, LDAP, WISM and ACS,
  The main point I'm focusing on is the ACS and WISM.
  Users are to obtain wireless access using a single SSID, and upon validation of credentials, they should gain access to one of 3 vlans, guest, data and voice, the use of separate SSID per vlan was highly discouraged by customer.
  Would appreciate your advice on the best feasible way to implement this.
  Regards,

  Hi,
  You can have single SSID in your setup. You need to set up feature called Dynamic VLAN Assignment.
  Check out this link,
  http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Regards,
  ~JG
  Please rate if that helps !

• Portal and R3 user mapping

  Experts,
  We are on EP6 with 4.7 backend and using AD as our data source.
  We implemented ESS on ITS and we have few users who have different portal user ID and R/3 ID and I want their ID to be mapped to their R3 ID. 
  So far, I've added my r3 usrID as one of the parameters in AD and in the UM config file, I've mapped this field to userID. 
  I've defined the sap reference system and when I go to user mapping under "personalize" it says "Error occurred while reading the selected user mapping data"
  Can someone tell me what could be wring with this setup?
  Thanks,
  James

  Well, this may not be the "best way" to do it but.....
  <p>
  <img src=http://home1.gte.net/res00icr/SA.jpg>
  <p>
  Make it a dedicated system and then you can have your users go up to personalize it once and done.  Then what every you need the back end for just reference the system you created.

• Difference between ACS Administrator account and ACS user account?

  Does an ACS administrator by default have full rights to every device it manages?
  I thought ACS administator accounts and user accounts were different.
  I have an acs admin account called admin_1. then i created another user account called admin_1 (for switch/router access)
  when i set the password for admin_1(user accounts), when i tried to login into the switch it wouldn't take. It would only take the password set for the ACS admin account.
  Is this by design?

  My understanding was that this is not the case, Ive just tested my installation again to make double sure and the user accounts and the admin accounts are clearly seperated
  The RADIUS server does not make use of the Admin user database.

• User mapping certificate in UME (J2EE) with ABAP system as Backend (SNC)

  I hope someone can help me with the user mapping concept (X.509 V3 certificates) for both "worlds" (ABAP and JAVA Stack).
  I know how to install and configure certificate based (X.509) login to SAP ABAP and SAP JAVA (J2EE) Stack (--> enable encryption for communication and Single Sign On).
  Situation:
  We have a ready installed and configured X.509 certificate authentication environment for the ABAP world (between SAP GUI and SAP Server System)
  and the user mapping was configured in the ABAP System (SU01). As the users are using certificates, the passwords are deactivated on the ABAP System.
  Now if you want to integrate a JAVA (J2EE) Sytem and you want to configure the UME to the ABAP System (as Backend), you have an administrative effort problem with the user mapping (X.509) in the UME configuration.
  1.) It is possible to assign manually the user public key to every user --> But to much effort
  2.) As the user does not have a password (deactivated in the ABAP system), the way to combine the automatic mapping with a user login does not work.
  3.) In the distinguished name of the user certificate there is no information about the SAP username itself
      --> you are not able to use any information of the DN to bind a user in the Login Module configuration.
  Now my question:
  Is it possible to use the sncname information from the ABAP System (still configured and available) for the UME configuration?
  As i know, it is possible to write an own Login Module. Does anybody has a customized Login module for this issue?
  At the end the best solution would be to enable the same user mapping mechanism on the JAVA world as on the ABAP world. --> Mapping the Distinguished Name to the SAP User

  We have developed a login module which is working with Kerberos auth, not x.509 auth, but still solves a very similar problem to the problem you are describing. As you know, when SNC is used to logon to ABAP stack, the SNC name of the user is mapped onto a SAP user via entries in the USRACL table. Our mapping login module takes the authenticated user principal name from the shared state and uses this to lookup the entry in USRACL table on ABAP stack, and from this it will know which SAP user  to use, and can update shared state with this info so that CreateTicketLoginModule will created an SSO2 ticekt for the mapped SAP user id.
  This means that mapping of users externally authetnicated identity onto SAP user/client can be managed in one place, e.g in ABAP stack using USRACL table entires and su01 t-code etc.
  I know it is not exactly what you wanted, since you are looking to use x.509 certifiates instead of Kerberos authentication, but I thought it was worth sharing so that you know the concept has already been implemeneted many times. Many of our customers use this login module when they have our product, for the same reasons that you have stated.
  Thanks,
  Tim

• Question connecting iphone 4s wifi using SSID and WEP where do I

  Question, I am trying to connect my iphone 4s to a wireless router using SSID and WEP. I have entered the MAC Address on the phone into the Router's Security list.
  I think that I also need to enter a code or passphrase on to the phone as well.
  Does anyone know how this is done and where do I do it?
  Thank you in advance.

  Check the wireless security option of your Wi-Fi router:
  If you are using WEP security and have multiple WEP keys on your Wi-Fi router, try configuring your Wi-Fi router to use only a single WEP key in key index 1.
  Consider using WPA or WPA2 instead. WPA and WPA2 encryption protocols are newer, more effective security options for wireless networks than the older WEP protocol.

• User mapping issue using SAP net weaver developer studio

  Dear All,
  I am getting below error when updating user mapping in SAP Enterprise Portal. I was able to update the data through SAP portal but not through the below code.
  Code:
  userMapData.setSystemAlias(“WebEx”);
  mappingData.put(UmeConstants.USERNAME, "user id");
                                                                 mappingData.put(UmeConstants.PASSWORD, "pasword");
  if (!userMapData.setMappingData(newUser, mappingData,logger)) {
  errorMessage = new ErrorMessage("Set user maaping data for + " + newUser.getDisplayName() + " failed.", "ApolloUMECreateUser.setUserMappingData()");
  public boolean setMappingData(IUser iUser, Map logonData, UmeLog logger) {
          //logonData needs to be able to be null to clear the user mapping!
          if (iUser != null) { 
              try {
                    IUserMappingData mappingData = iUserMapping.getUserMappingData(systemAlias, iUser, logonData);
                  //IUserMappingService iums = (IUserMappingService)PortalRuntime.getRuntimeResources().getService(IUserMappingService.KEY);
                  //IUserMappingData mappingData = iums.getMappingData (systemAlias, iUser);
                  mappingData.storeLogonData(logonData);
                          return true;
              catch (IOException ioe) {
  return false;
              catch (Exception e) {
                          return false;
          return false;
  Error:
  #1.5#00155D007802007D0000417100000B480004F636722D1228#1396613610296#com.sap.security.core.umap.imp.UserMappingDataImp#ibm.com/ibm.com.tivoli.im.umeagent#com.sap.security.core.umap.imp.UserMappingDataImp.saveLogonDataInternal(Map, boolean)#Guest#0##n/a##88b1fdb2bbf211e3a6ac00000032f136#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Java###Cannot save logon data for principal {0} because there is no mapped backend user ID in the logon data map to save.#1#"user id, password" (unique ID: "USER.PRIVATE_DATASOURCE.un:aujastest31")#
  #1.5#00155D00780200740000411600000B480004F636722D12D8#1396613610296#System.err#ibm.com/ibm.com.tivoli.im.****umeagent#System.err#Guest#0##n/a##88cc4ee9bbf211e3b0a300000032f136#SAPEngine_Application_Thread[impl:3]_33##0#0#Error##Plain###Apr 4, 2014 5:43:30 PM com.ibm.tim.agents.UmeAgent [SAPEngine_Application_Thread[impl:3]_33] Info: Created the Writer
  #1.5#00155D007802007D0000417200000B480004F636722D18DA#1396613610296#com.sap.security.core.umap.imp.UserMappingDataImp#ibm.com/ibm.com.tivoli.im.umeagent#com.sap.security.core.umap.imp.UserMappingDataImp#Guest#0##n/a##88b1fdb2bbf211e3a6ac00000032f136#SAPEngine_Application_Thread[impl:3]_24##0#0#Error##Java###storeLogonData(Map)
  [EXCEPTION]
  {0}#1#com.sap.security.api.UMException: Mapped backend user ID not specified.
        at com.sap.security.core.umap.imp.UserMappingDataImp.saveLogonDataInternal(UserMappingDataImp.java:280)
        at com.sap.security.core.umap.imp.UserMappingDataImp.saveLogonData(UserMappingDataImp.java:251)
        at com.sap.security.core.umap.imp.UserMappingDataImp.storeLogonData(UserMappingDataImp.java:223)
        at com.ibm.tivoli.integration.im.agents.umeagent.sap.usermapping.UserMapData.setMappingData(UserMapData.java:106)
        at com.ibm.tivoli.integration.im.agents.umeagent.sap.UMECreateUser.setUserMappingData(UMECreateUser.java:381)
        at com.ibm.tivoli.integration.im.agents.umeagent.sap.UMECreateUser.UMECreateSAPUser(UMECreateUser.java:118)
        at com.ibm.tim.agents.UmeAgent.UMEProcessAddRequest(UmeAgent.java:207)
        at com.ibm.tim.agents.UmeAgent.processRequest(UmeAgent.java:134)
        at com.ibm.tim.agents.UmeAgent.doPost(UmeAgent.java:89)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
        at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
        at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
        at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
        at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
        at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
        at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
        at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
        at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
        at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
        at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
        at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)

  Thanks Rodrigo for you reply.
  In Data Base user is exist and manually user mapping is working only through code i am getting error. Using code user is creating but mapping is not happening. I am sending ep6User user as iUser please find requested code.
  Please suggest Thanks in advanced!!!
  public UmeUser processRequest(com.ibm.dsml2.parser.AddRequest addRequest) {
          UmeUser ep6User = null;
          try {
              Enumeration enumAddRequestAttr = addRequest.enumerateAttr();
              Properties userAttributes = new Properties();
              while (enumAddRequestAttr.hasMoreElements()) {
                  com.ibm.dsml2.parser.Attr attr = (com.ibm.dsml2.parser.Attr) enumAddRequestAttr.nextElement();
                 if (attr.getValueCount() == 1) {
                      userAttributes.put(attr.getName(), getAttributeValue(attr));
                  else {
                      List list = new ArrayList(attr.getValueCount());
                      for (int i = 0; i < attr.getValueCount(); i++) {
                          list.add(getAttributeValue(attr, i));
                      userAttributes.put(attr.getName(), list);
              ep6User = new UmeUser(userAttributes, logger);
          catch (Exception e) {
              logger.log(this.getClass().getName(), e);
          return ep6User;

• Wireless SSID in ACS

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi,
  I want to do the restriction on the bases of SSID. I have two SSID on Wireless LAN controller and all authentications are happing through Active directory through ACS. ACS is integrated with Active directory.
  Objective is to restrict the users, I want that GROUP-A users can only login on SSID-A and GROUP-B user only login on SSID-B.
  GROUP-A users could not login to SSID-B and GROUP-B users could not login to SSID-A
  Is it possible in ACS to apply the restriction on the basis on SSID or any other workaround?
  Regrds,
  Vashdev

  Vashdev,
  Yes, SSID base restriction is possible with Cisco acs, please configured the GROUP-A and GROUP-B with their respective SSID like (*ssid) as mentioned in the below listed configuration example.
  Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
  Regds,
  JK
  Do rate helpful posts-

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• How to bind ACS users to only one SSID?

  Hello!
  I have ACS 4.2 and AP 1240. I`m use two SSID - guest and user. Guest ssid must use PEAP authentication, user ssid must use EAT-TLS authentication (acs user local database). All work correctly. But when i create user for EAP-TLS, i`m create with username of DN certificate and some password. And somebody can use DN as username and password for PEAP authentication for ssid Guest and ssid Users.
  How can i make for ssid guest that work only PEAP authentication and for ssid work only EAP-TLS authentication?

  Are you using autonomous or lightweight AP's? If you have a controller you could setup the Radius attributes to specify which WLAN the user can authenticate to.
  Another option would be to setup dynamic VLAN assignment. This would work for either type of AP. The user might still be able to authenticate to either WLAN but after passing authentication they would be dumped into the VLAN you define.
  http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42sol.html#wp1086421

• How to find SSID and Network Key to setup wireless printer to iMac?

  It is easy to find your "SSID" and "Network Key" once you understand what you are looking for. Here is what worked for me when I setup a new wirless printer today:
  1) SSID = Your Network Name
  Ex. Jason's Wi-Fi Network
  Ex. Harry's Lounge
  First way to find: on an iMac, go to the top bar on the right side and click on the "wireless symbol". You will see a list of all the wireless networks your computer is picking up. The one you are connected to (if you are able to surf the Internet) is the name you enter when asked for the SSID.
  NOVICE HINT: This is the equivalent to walking into a Starbucks and logging onto their wi-fi via their "network name," which has the word Starbucks in it. Some network names will have have locks next to them, meaning they are "secured by a password" and some will not, meaning anyone can access this "free" wi-fi. This doesn't matter either way, it just helps with making sure you have located the list. Of course, it is also possible, if you live in a remote area, that only your network name will show up.
  Second way to find: on an iMac, go to the apple symbol in the upper left corner of computer and make sure it says "finder" (if it doesn't, just click on your desktop and it will show up), then select:
  go > applications > utilities > Airport Utility > double-click on the image of the AirPort Extreme and the network name will be listed
  2) Network Key = Password used to access your Wi-Fi Network
  Ex. BMXGuy456!
  Ex. Millionare$!!!
  This is the password you created when you setup your wireless network, meaning it may not (and should not be for better security purposes) the same password as you use for your Apple ID, email etc.
  NOVICE HINT: So if for example a friend came to stay with you and wanted to connect to your "secured wifi" meaning there is a lock next to it, you would give them this password.
  EXTRA INFO:
  Why do I need this info anyway?
  Because just like anyone who wants to use your wifi when they come over, the printer needs to understand what to connect to, therefore it basically needs the network name to know "WHAT" to connect to, and the "PASSWORD" in order to access that network.

  After much stumbling around, I also discovered this answer. I picked up the 2270DW used, without disc or manual, so downloaded what I needed from the Brother site, but the Brother Mac OSX instructions feel as if they're written by a non-Mac user. I am on OSX 10.7.5, using an Airport wireless unit in Bridging mode (because I have to use a provider's router at the front end of my setup). But once I picked my Airport network name through the Brother Wireless Setup Utility and then typed my network name in the SSID box and my network password in the Network Key box ("es" --- I think the "network key - i.e. password" had to be confirmed a second time) after waiting for the utility to process the information, it worked like a charm.

• I have multiple SSID, but want users of a single SSID to be redirected to a HTTP or HTTPS URL (LAN SERVER for authentication)

  Hi team,
  I  have multiple SSID, but want users of a single SSID to be redirected to a HTTP or HTTPS URL (LAN SERVER for authentication)
  I am very curious and it is important. I want to see how to achieve this with CISCO WLC !!!

  http://10.229.3.99/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=10.229.3.99/login.html?switch_url=https://1.1.1.1/login.html&ap_mac=e8:40:40:ad:cc:80&wlan=MO-GUEST&redirect=www.geo.tv/
  I wanted if someone connects to WLAN "MO-GUEST" automatically the user should be redirected to http://10.229.3.99/login.html and once authenticated by 10.229.3.99 , he/she should be allowed to access anything as normal. [ actually i just want automatic url redirection for the first time for the user of wlan "MO-GUEST"
  waiting expert opinions.

• RV-120W and "Wireless Isolation within SSID"

  Hi everyone,
  I search on the forum and all i found it this post that is not very complete.
  https://supportforums.cisco.com/discussion/11948496/rv120w-and-wireless-isolation-within-ssid#comment-9766211
  I Have RV-120W with the latest firmware update (1.0.5.6)
  I would like to isolate the WIFI from the LAN.
  I try to look in the manual but it's not very clear.
  Is anyone can help me with specific operation that make me configure the router to separe those network?
  Thank you
  Regards,
  Jean-Marc

  Hi Tom,
  well first of all, I don't speak about wired computer. I mentioned it only in the beginning for purpose, that DHCP and router itself work correctly.
  OK, I can accept, that the term "Wireless Isolation within SSID" can be understand as you and Darren describe - english is not my native language. And actually I'm glad for such a feature.
  But I must still insist, that the decription in the admin guide is misleading. Lets paste it here again:
  Chapter 3, page 56, part "Configuring Wireless Security and Other Settings", step 3-d:
  (Optional) Check the Wireless Isolation within SSID box to separate this network from the other three networks on the Cisco RV120W. When this feature is enabled, the network can communicate with the Cisco RV120W, but not with any of the other networks.
  Sorry Tom, but there is nothing written about isolating of wireless devices, which are connected to the same SSID.
  Rgds
  MaX

• Wireless router hardware address and SSID Info

  I am looking for any information about the iphone 3Gs saving hardware address when saving wireless networks. I have not been able to find any information on this subject. I know that the phone does, i just need a technical reference. Thank you in advance for the help.

  My issue is more of a enterprise problem. That is why I wanted technical documents. Our SSID "test" is broadcasted from 1-20 routers per building. The phone will not connect to a new AP without reentering SSID. which then the user has to reenter access info. I am trying to get a answer on the OS using hardware address to prove why they have to keep reentering the SSID and access info.

• ACS 4.1 to differentiate and restrict users

  Hello all,
  I've bee wrestling with this issue off and on for some time, but have had limited success. There is something I don't quite understand just yet. I hope someone here can help.
  I want to set up AAA on ACS 4.1 for authenticating login sessions to my swtiches, ASA and access points. That part is easy, and it even works, but here's what I 'm having trouble with:
  Our ACS server points to our Windows 2003 AD database. If I set up my switches with AAA, anyone in the AD database can login to the switch. I only need about 5 people to have admin access to my switches, not the 4000 others.
  Also, I need to administer my access points. I am also a wireless user. Betty Sue in accounting is a wireless user, but has no need to administer the access point to which she associates. Same thing goes with our ASA and remote access VPN connections. How do I identify how a user connects to the device and set restrictions based on this?
  To put it another way:
  User A is Admin, wireless user, VPN user. Needs full access to all these devices. This part is easy.
  User B is accountant (or whatever), wireless user, VPN user. Should not have any access to administer the switch, AP, or ASA they are connecting to.
  I hope that makes sense. I've been through the NAP documents. I think the solution is there, but I'm not bright enough or brave enough to figure it out, at least not on a live network:)
  Thanks for any help.
  Scott

  All,
  I'm just now getting back to this. ACS is upgraded and the NAP is configured and almost working as I need it to be, with a big exception. Maybe someone can help?
  When I use telnet to login to a device, I am asked for "Username". With a sniffer, I can see that the AV Pair used to identify VTY connections is being sent with the proper value, and the user I want to be denied is denied. Subsequent requests to login are all asking for "Username", and all send the correct AV Pair, and all are rejected. Nice.
  Here's the issue. When I use SSH lo login to the same device, with the same credentials, I am asked to "Login as". The first time, the AV Pair I need is sent and the user is denied. When I am asked again, I'm not asked for user name or to "login as" again, I'm only asked for the password. If I enter the correct password, the user, any user, is allowed. Not good. With the sniffer, I see that the AV Pair is only sent with the first attempt, subsequent attempts don't send the AV Pair in question, so ACS can't act on this information, and so the user who should be denied, is not.
  Any ideas for how to get around this? Can SSH be setup to present the username to the login session every time? Is there a way to force the sending of this AV Pair every time? Can I set up something to say that any user has only one attempt to login?
  The AV Pair in question is [061]NAS-Port-Type=5
  Thanks for any help