ACS with Vasco

andrew100 · ‎11-14-2007

Hi,

I was wondering - is there any way when configuring ACS for Radius Proxy into Vasco that particular usernames in Vasco can be mapped to ones in ACS in order to apply attributes to only certain people?

My understanding so far is that if ACS cannot find the username in its local database it will back it off into an external database if configured, such as Vasco. However i need different group policies applied to particular users by using attributes.

Thanks in advance for your help!

Andy

somishra · ‎11-15-2007

Hi Andy,

To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:

ACS:CiscoSecure-Group-Id = N

where N is the CiscoSecure ACS group number (0 through 499) to which CiscoSecure ACS should assign the user. For example, if Radius Token Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair: ACS:CiscoSecure-Group-Id = 37

CiscoSecure ACS assigns the user to group 37 and applies authorization associated with group 37.

Hope this helps,

somishra

andrew100 · ‎11-15-2007

Hi Somishra

Thats great and thanks for your help!

Don't think Vasco supports the attribute though which is a shame :-(

Thanks again!

Andy

kirkpad01 · ‎12-01-2007

Hi Somishra,

I've been trying to get network authorization working with RADIUS with the ASA, so that I can assign Cisco AV-pairs ACL statements to define where users can go to using cut trhough proxy. It appears it can only use RADIUS for authentication, and you need TACACS+ (and therefore ACS) to get network authorization working. Is this correct?

Thanks,

Dave