Global HA VPN with Role based authentication?

green_andrew · ‎08-28-2007

I am struggling with a customer requirement...

They require a remote access VPN solution, which connects back to three locations -Scotland, London and New York (using ASA's or their existing PIX 515e's).

The users are geographically dispersed around the world, but with the majority in the UK and the US. The requirement has tow main aspects -

1)High availability - the users connect to primary location (i.e. Scotland) but if unavailable, they automatically connect to the secondary (i.e. London) and then to the tertiary (i.e. NY). I believe this can be achieved using the Cisco client software and specifying the three connections in order of preference.

2)'Role based' authentication and access privileges. Therefore if a standard user connects, they only get access to a limited set of applications i.e. mail and web, but if an Administrator connects they would get access to a much larger set of apps. What is the simplest way of achieving this? Can Cisco VPN integrate with the active directory profiles already in use? Would I need Cisco ACS? If so, would I need ACS in all three locations? Would SSL or IPSec be a more appropriate technology?

Thanks for any help.

Andy

htarra · ‎09-03-2007

ASA/PIX does support active directory profiles, however for role based authentication to work you will need ACS. The ACS will be required on a single location however a backup ACS is recommended if primary ACS fails due to some reason. In your case I think SSL vpn will be good choice.