Remote Access VPN Client Authorization

Unanswered Question
Oct 3rd, 2007

I have a PIX-525 running version 6.3

The PIX is configured for remote access vpn.Mobile users use cisco vpn client software to connect and access the corporate network resources.

AAA Server is in place and is used in conjuction with xauth feature to authenticate the mobile users uing the cisco vpn client.The problem is that once any user is authenticated ( whether he is in customer support or management or Operations) he can access any part of the corporate network infrastructure.

How can i restrict this.One option is using multiple profiles on the PIX, but the users can easily install the .pcf file meant for other departments and are good to go.

What should i do ? I was wondering if i can use the AAA server already in place to do the authorization for the mobile users.What would be the configuration changes required on PIX to direct the mobile users to AAA for authorization.

Please suggest.Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 10/03/2007 - 11:31


Is your AAA server Cisco secure ACS server and if so what is the version of the software.

Depending on the above what you might be able to do is use downloadable access-lists (DACL) which are configured on the ACS server. So you can group your users into their respective departments and then when they authenticate that group get a specific access-list applied to the pix.

The groups could be configured on your ACS server or the ACS server could query your AD groups (if you have AD).

This would seem to be exactly what you need.



rpsrekhi3 Wed, 10/03/2007 - 11:57

Jon - I have a SecureID ACE Server which is providing the TACACS Services for authentication.

But my point is that how would the PIX know which authenticated users have to be authorized.

How do we enable it.Is there any command ( eg aaa authorization include)?

Jon Marshall Wed, 10/03/2007 - 13:09


Just to clarify. Are you concerned with denying access to certain groups of servers/services etc. or are you more concerned with what they can do if the connect to the pix or other network devices ?

i'm guessing the first in which case authorization isn't really what you need. But if i have misunderstood please explain.


Jagdeep Gambhir Sat, 10/06/2007 - 04:36

What you are trying to achieve can be done using a feature called "Network access restrictions "NAR's.

A condition specified in NAR needs to be met before a user can access any device in the network. Please refer to the link given below for more information on implementing NAR's in ACS :

*Setting Network Access Restrictions for a User Group*

*Network Access Restrictions White Paper*



Please rate helpful posts

rpsrekhi3 Sat, 10/06/2007 - 08:45

Hey JG,

Thanks for your response.

The documentation that you have provided is using the Cisco ACS Server.

I already have RSA ACE Server which provides TACACS Services.

What i want is Authorization for my remote Access VPN Clients.My only question is - Are there any configuraion lines that i need to specify in my PIX so that all remote access VPN Clients are authorised.

Also, the Authentication is already happenning using the same TACACS Services of the RSA box.


angelbrown121 Fri, 08/30/2013 - 05:46

Remote access VPN authorization enable users to securely communicate sensitive information to networks and servers over the VPN tunnel, using LAN, wireless LAN and various dial-up including broadband connections.


This Discussion