11-14-2007 01:56 PM - edited 03-10-2019 03:30 PM
Hi,
I was wondering - is there any way when configuring ACS for Radius Proxy into Vasco that particular usernames in Vasco can be mapped to ones in ACS in order to apply attributes to only certain people?
My understanding so far is that if ACS cannot find the username in its local database it will back it off into an external database if configured, such as Vasco. However i need different group policies applied to particular users by using attributes.
Thanks in advance for your help!
Andy
11-15-2007 12:22 AM
Hi Andy,
To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:
ACS:CiscoSecure-Group-Id = N
where N is the CiscoSecure ACS group number (0 through 499) to which CiscoSecure ACS should assign the user. For example, if Radius Token Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair: ACS:CiscoSecure-Group-Id = 37
CiscoSecure ACS assigns the user to group 37 and applies authorization associated with group 37.
Hope this helps,
somishra
11-15-2007 02:31 AM
Hi Somishra
Thats great and thanks for your help!
Don't think Vasco supports the attribute though which is a shame :-(
Thanks again!
Andy
12-01-2007 12:16 AM
Hi Somishra,
I've been trying to get network authorization working with RADIUS with the ASA, so that I can assign Cisco AV-pairs ACL statements to define where users can go to using cut trhough proxy. It appears it can only use RADIUS for authentication, and you need TACACS+ (and therefore ACS) to get network authorization working. Is this correct?
Thanks,
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide