Associate remote users with specific VPN Profiles

Unanswered Question
Jun 15th, 2007
User Badges:

Hi,


we currently use CiscoSecure server to authenticate our remote users against an RSA database.


We have set-up different .PCF files corresponding to the VPN groups on our firewall. So, a particular Profile is only allowed access to certain parts of the network. Then we give the PCF file to the relevant users(s).


This all works fine. However, there is nothing to stop a user obtaining and using a PCF file (e.g. from a colleague) with access to more areas of the network than we want to allow them to. i.e. the PCF files are not tied down to specific users.


Is there anyway this can be achieved with our existing set-up? Can we specify specific users from our Cisco Secure/RSA database are tied down to particular VPN profiles on our firewall?


Any suggestions on the best way of achieving this would be welcome.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
Jon Marshall Fri, 06/15/2007 - 04:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


What you could do is use per user downloadable acl on your Cisco secure ACS server. When each user authenticates the firewall downloads a per user acl and adds it to the access-list on the outside interface.


HTH


Jon

mitchen Mon, 06/18/2007 - 02:02
User Badges:

Hi,


thanks for the suggestion, it sounds interesting.


I'm not familiar with the per user downloadable ACLs - do you have any more info on that and how to implement them?


(I'm a bit of a novice in general when it comes to the ACS server!)


Thanks.

Jon Marshall Mon, 06/18/2007 - 11:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sure, could you let me know what version of the ACS server you have so i can dig out some docs and also ensure your version supports downloadable acl's.


Jon

Jon Marshall Tue, 06/19/2007 - 12:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay v4.1 does support downloadable acl's.


What happens is that once your user has been authenticated via the ACS server your VPN device then receive a per-user or per-group ( it's up to you ) acl that is "added" to the existing access-list on the outside interface of your firewall. Assuming you are using a pix or ASA device you would apply your outside access-list (acl_outside in this example) with the following line in the config


access-group acl_outside in interface outside.


For downloadable acl's to work you need to amend this line to


access-group acl_outside in interface per-user-override


This allows the firewall to add the additional per user access to the outside access-list.


If authentication is already working off your firewall then the above is the only change you should need to make.


As for your ACS server, attached is a link on how to configure downloadable acl's that should get you started


http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fe.html#wp892391


HTH


Jon


mitchen Mon, 06/25/2007 - 07:12
User Badges:

Thanks, I'll have a look at the info you've supplied.

jessica_j Wed, 07/18/2007 - 21:40
User Badges:

I am looking for a similar solution with the authentication used is Microsoft Active Directory through Microsoft IAS Radius server.


Any solution to tie down a user to specific profile?

Actions

This Discussion