VPN with multiple authentication servers

Unanswered Question
Mar 12th, 2008

I've some questions about possibilities of the Cisco ASA.

I'm working in a large organization and I need to implement a IPSec VPN Solutions.

Our organization works with a few other large organization and users of the other organizations

must have acces to our VPN solutions. For authentication we thought about placing a RADIUS Server

that forwards the user credentials to our LDAP server, or to RADIUS server of the other organizations.

Thereby we are thinking by placing @organization so that the RADIUS server knows to which

authentication server forward the request.

Configuring this is not a problem but we would like that the RADIUS (no ACS)server sends back to the

ASA which organization (group) the user belongs to so that we can configure groups on the ASA.

So that the users get a specific IP adres that belongs to that group.

So my questions is understand the ASA sending back a group from the radius server so that we

can localy configure groups with there policies?

Or can anyone give me a other advise?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Tue, 03/18/2008 - 14:03

You can make the user authenticate to Radius server and map the Radius group to ASA group. Let's say you want to lock a user abc123 into group Employee . Then on the radius server define IETF attribute 25 Class "OU=RemotePolicy;" for this user. Basically the OU set the group policy for this user and in the group policy you lock the user into the tunnel-group that you want.

Actions

This Discussion