Proxy authentication

Unanswered Question
Sep 28th, 2007

I have the following topology. R1 with firewall features, R2 and ACS belong to Customer A, while R3 with firewall features and VPN concentrator belong to Customer B.

User--Internet--R1FW---R2--R3FW--VPNConcentrator |

ACS

The requirement is for User which is a mobile user of Customer A to connect to Customer?s B VPN concentrator and open a IPSEC connection using Cisco VPN client.

User must also be authenticated when entering Customer A network and I am considering proxy authentication. So, before opening the vpn client, the user will initiate an http connection to R1 and authenticate itself to the ACS server using a username/password. If authentication is successful, an entry will be downloaded to the R1 inbound access-list to allow traffic from the IP of the authenticated user to the IP of the VPN concentrator.

The problem is that Customer B needs to know the IP addresses of users with vpn clients so that it can allow only traffic from this IP passing through R3 FW.

Since this is a mobile user it can connect from different places so he does not use a single IP.

Here are my thoughts/questions to address this issue:

1. Is it possible to assign User with a static IP when authentication with the ACS along with proxy authentication?

2. Can I use NAT outside at R1 so I translate user IP to a static IP? Do you see any issue with this implementation?

3. Is there another solution to achieve the above: 1. authentication of mobile users and static IP assignment?

Thanks,

Evi

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
j.langton Thu, 12/13/2007 - 19:01

Does the Concentrator have connectivity with Cust A's ACS server? I assume so. The best way to assign the remote client an IP address is to use an IP pool which is attached to the VPN user's group. Then Cust B would be able to build fw rules around this subnet. Be sure to use NARs to permit only authentication to the VPN and not any other RADIUS/TACACS+ clients. HTH.

Actions

This Discussion