Thinking about something and looking for a way to possibly do this.
Currently, with the VPN 3000, you create the different groups and assign split tunnel lists and filters to that group. Then the client (remote user) is put into that group based on what group authentication they have in their VPN profile they are using.
Now I know there is a way to make per-user filters on the VPN but the user's account must be created and exist locally on the VPN. This won't work for me because we have a bunch of VPN concentrators in different places where the user could conenct to. Plus it would be impossible to manually maintain them all.
But what I would really like to do is somehow use the ACS to determine what filter to apply on a per-user basis when the remote user connects to the VPN.
I want to do it this way and not rely completely on group authentications for access control because there is no guarantee that the user is using the right profile.
Ideally, I'd like to have a single ONE profile with only one group authentication and permit the different users access to different parts of the network based on their username.
I know, for example, the PIX can do such dynamic per-user ACLs sent from the ACS in the form of RADIUS attributes - which is what I'm wanting to do. Or something similar. But that only applies to an http session using authentication proxy. I'd really like to do some sort of integrated ACLs based on a remote VPN user's credentials.
Any suggestions or ideas at all?