Associate remote users with specific VPN Profiles

Unanswered Question
Jun 15th, 2007


we currently use CiscoSecure server to authenticate our remote users against an RSA database.

We have set-up different .PCF files corresponding to the VPN groups on our firewall. So, a particular Profile is only allowed access to certain parts of the network. Then we give the PCF file to the relevant users(s).

This all works fine. However, there is nothing to stop a user obtaining and using a PCF file (e.g. from a colleague) with access to more areas of the network than we want to allow them to. i.e. the PCF files are not tied down to specific users.

Is there anyway this can be achieved with our existing set-up? Can we specify specific users from our Cisco Secure/RSA database are tied down to particular VPN profiles on our firewall?

Any suggestions on the best way of achieving this would be welcome.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Jon Marshall Fri, 06/15/2007 - 04:31


What you could do is use per user downloadable acl on your Cisco secure ACS server. When each user authenticates the firewall downloads a per user acl and adds it to the access-list on the outside interface.



mitchen Mon, 06/18/2007 - 02:02


thanks for the suggestion, it sounds interesting.

I'm not familiar with the per user downloadable ACLs - do you have any more info on that and how to implement them?

(I'm a bit of a novice in general when it comes to the ACS server!)


Jon Marshall Mon, 06/18/2007 - 11:48

Sure, could you let me know what version of the ACS server you have so i can dig out some docs and also ensure your version supports downloadable acl's.


Jon Marshall Tue, 06/19/2007 - 12:09

Okay v4.1 does support downloadable acl's.

What happens is that once your user has been authenticated via the ACS server your VPN device then receive a per-user or per-group ( it's up to you ) acl that is "added" to the existing access-list on the outside interface of your firewall. Assuming you are using a pix or ASA device you would apply your outside access-list (acl_outside in this example) with the following line in the config

access-group acl_outside in interface outside.

For downloadable acl's to work you need to amend this line to

access-group acl_outside in interface per-user-override

This allows the firewall to add the additional per user access to the outside access-list.

If authentication is already working off your firewall then the above is the only change you should need to make.

As for your ACS server, attached is a link on how to configure downloadable acl's that should get you started



mitchen Mon, 06/25/2007 - 07:12

Thanks, I'll have a look at the info you've supplied.

ohanusi@lagos.s... Tue, 06/26/2007 - 08:04

one of the ways to do this is to download the user group policy profile from the acs when the user logon .

mitchen Tue, 06/26/2007 - 08:08

Thanks - do you have any more info on how to achieve this?

jessica_j Wed, 07/18/2007 - 21:40

I am looking for a similar solution with the authentication used is Microsoft Active Directory through Microsoft IAS Radius server.

Any solution to tie down a user to specific profile?


This Discussion