We have Secure Computing Premier Access Safeword to authenticate VPN users.
The setup goes this way, in Cisco VPN Concentrator 3000 we have defined
groups to filter users access. For instance, every
organization unit has a unique group which is eligible to access a certain
portion in our network. On the other side, we have Safeword as our personal
authentication mean. Of course, users are defined here in Safeword not in
Cisco VPN Concentrator 3000.
The issue is: Cisco VPN Concentrator 3000 groups are not mapped in
Safeword. Thus, security rules, i.e. Cisco VPN Concentrator 3000 groups
access rights could be broken.
Our objective is to find a way to lock users into their groups, i.e.
integrate Cisco VPN Concentrator 3000 groups into Safeword or any other
acceptable sort of groups mapping where bypassing access is not possible.
We succeeded to do both authentication steps: groups and users in Safeword by recreating according VPN groups in Safeword. However, this had killed the chance to filter users access in Cisco VPN since the groups are specified now as externally configured where all access filteration controls are not usable where Cisco VPN 3000 assumes the external server will take care of this.
How to do the groups mapping with effective access filteration?