https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77590#M8699 In the EAC you can configure the authentication rules in the AAA section. in one of those rules (Management Login) I want to configure an user group .<BR /> <BR /> According to the help file ,should this be possible.<BR /> <BR /> <B>User/MAC/Host</B><BR /> Select the <B>Pattern</B> radio button and enter the username, MAC address, or hostname that the end-system must match for this mapping. Or, select the <B>Group</B> radio button and select a user group or end-system group from the drop-down list. If you enter a MAC address, you can use a colon (:) or a dash (-) as an address delimiter, but not a period (.).<BR /> <BR /> The only groups I can select are End-System Groups.<BR /> <BR /> How can I select an user groups ?<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="95f5949fad57431fbb3f3437aa290353_d5b4e711-4d8a-419c-85fb-53efacc30081.jpg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/216i666A4D75975E5559/image-size/large?v=v2&amp;px=999" role="button" title="95f5949fad57431fbb3f3437aa290353_d5b4e711-4d8a-419c-85fb-53efacc30081.jpg" alt="95f5949fad57431fbb3f3437aa290353_d5b4e711-4d8a-419c-85fb-53efacc30081.jpg" /></span></P><BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="95f5949fad57431fbb3f3437aa290353_58a38fc5-77fb-4725-a854-5348873a063c.jpg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/4926i3E1F870E1288267F/image-size/large?v=v2&amp;px=999" role="button" title="95f5949fad57431fbb3f3437aa290353_58a38fc5-77fb-4725-a854-5348873a063c.jpg" alt="95f5949fad57431fbb3f3437aa290353_58a38fc5-77fb-4725-a854-5348873a063c.jpg" /></span></P> Thu, 08 Aug 2019 16:47:39 GMT JohanHendrikx 2019-08-08T16:47:39Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77590#M8699 In the EAC you can configure the authentication rules in the AAA section. in one of those rules (Management Login) I want to configure an user group .<BR /> <BR /> According to the help file ,should this be possible.<BR /> <BR /> <B>User/MAC/Host</B><BR /> Select the <B>Pattern</B> radio button and enter the username, MAC address, or hostname that the end-system must match for this mapping. Or, select the <B>Group</B> radio button and select a user group or end-system group from the drop-down list. If you enter a MAC address, you can use a colon (:) or a dash (-) as an address delimiter, but not a period (.).<BR /> <BR /> The only groups I can select are End-System Groups.<BR /> <BR /> How can I select an user groups ?<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="95f5949fad57431fbb3f3437aa290353_d5b4e711-4d8a-419c-85fb-53efacc30081.jpg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/216i666A4D75975E5559/image-size/large?v=v2&amp;px=999" role="button" title="95f5949fad57431fbb3f3437aa290353_d5b4e711-4d8a-419c-85fb-53efacc30081.jpg" alt="95f5949fad57431fbb3f3437aa290353_d5b4e711-4d8a-419c-85fb-53efacc30081.jpg" /></span></P><BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="95f5949fad57431fbb3f3437aa290353_58a38fc5-77fb-4725-a854-5348873a063c.jpg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/4926i3E1F870E1288267F/image-size/large?v=v2&amp;px=999" role="button" title="95f5949fad57431fbb3f3437aa290353_58a38fc5-77fb-4725-a854-5348873a063c.jpg" alt="95f5949fad57431fbb3f3437aa290353_58a38fc5-77fb-4725-a854-5348873a063c.jpg" /></span></P> Thu, 08 Aug 2019 16:47:39 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77590#M8699 JohanHendrikx 2019-08-08T16:47:39Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77591#M8700 Extra information: I cann't select LDAP user groups that are created. Fri, 09 Aug 2019 15:05:06 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77591#M8700 JohanHendrikx 2019-08-09T15:05:06Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77592#M8701 Hello Johan,<BR /> <BR /> LDAP usergroups can only be used in the AAA with authentication type "Registration (Auth&amp;Admin)".<BR /> <BR /> Are you looking to send management authentications to a different authentication server based on LDAP group membership, or prevent access based on group membership?<BR /> <BR /> If you're looking to prevent access based on LDAP membership the way you would do that is create a rule in the rules engine with LDAP usergroup that had an accept with appropriate management access AVPs, and below this rule create another rule for all management requests to would deny. <BR /> <BR /> That way unless you're part of the LDAP group configured in the first rule you'll fall into a deny role. <BR /> <BR /> Let me know if this is what you're looking for.<BR /> <BR /> Thanks<BR /> -Ryan Sun, 11 Aug 2019 00:51:02 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77592#M8701 Ryan_Yacobucci 2019-08-11T00:51:02Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77593#M8702 I've made roles and tested a connection to a swtich and a connection to an EWC controller.<BR /> <BR /> Both systems have the same EAC controlers.<BR /> <BR /> When connecting to the EWC with wrong credentials , the connection is refused.<BR /> When I do the test to a switch I can loging and have user rights.<BR /> <BR /> Did I forgot something? Thu, 15 Aug 2019 16:37:41 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77593#M8702 JohanHendrikx 2019-08-15T16:37:41Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77594#M8703 I"d have to take a look at the configuration.<BR /> <BR /> If you look at the Alarms &amp; Events --&gt; Events --&gt; Type of "NAC" or "Access Control Engine".<BR /> <BR /> When you login to the switch and the controller take a look at those events. Did they hit the same rule?<BR /> <BR /> Does the rule they hit indicate they were returned a "reject"?<BR /> <BR /> Thanks<BR /> -Ryan Sat, 17 Aug 2019 23:17:02 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77594#M8703 Ryan_Yacobucci 2019-08-17T23:17:02Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77595#M8704 Results<BR /> Management login to switch 10.2.112.211. No Access granted for User: x326000, due to NAC Filter-Id: Enterasys:version=1:policy=Deny Access, Profile: Registration Denied Access NAC Profile Authentication Protocol: PAP, Request Attributes - Service-Type: 1, User-Name: x326000, Calling-Station-Id: 00-00-00-00-00-00, NAS-IP-Address: 10.2.112.211, OPENFLOW_DATAPATH_ID: 19706979330, NAS-Identifier: SW-A11, Called-Station-Id: 00-04-96-A0-A4-02, NAS-Port-Type: 5, NAS-Port: 0, Source-Address: 10.2.112.211 - Response Attributes - Filter-Id: Enterasys:version=1:policy=Deny Access - This is an administrative request because the MAC is zeros: 00-00-00-00-00-00, username is not null and no EAP-Message, MS-CHAP-Challenge or Tunnel-Client-Endpoint is present.<BR /> <BR /> Management login to wireless controller 10.2.112.3. No Access granted for User: x326000, due to NAC Service-Type: null, Profile: Registration Denied Access NAC Profile Authentication Protocol: PAP, Request Attributes - Service-Type: 7, User-Name: x326000, NAS-IP-Address: 10.2.114.1, NAS-Identifier: EWC, NAS-Port-Type: 5, NAS-Port: 0, Source-Address: 10.2.112.3 - Response Attributes - Filter-Id: Enterasys:version=1:policy=Deny Access, Login-LAT-Port: 0 - This is an administrative request because the MAC is null, username is not null and no EAP-Message, MS-CHAP-Challenge or Tunnel-Client-Endpoint is present. Wed, 21 Aug 2019 13:30:09 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77595#M8704 JohanHendrikx 2019-08-21T13:30:09Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77596#M8705 The switch might be allowing you in just because the Access was "Accept". Can you change the "Denied Access NAC profile" and set it to "Reject authentication requests". <BR /> <BR /> It will be the option at the top of the profile.<BR /> <BR /> Thanks<BR /> -Ryan Wed, 21 Aug 2019 19:31:09 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77596#M8705 Ryan_Yacobucci 2019-08-21T19:31:09Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77597#M8706 Ryan, this works. Thanks for the solution Wed, 21 Aug 2019 20:19:40 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/can-t-select-user-groups-in-authentication-mapping/m-p/77597#M8706 JohanHendrikx 2019-08-21T20:19:40Z