I have been given a request by a client to create a profile for a VPN client. The requirements for this VPN client will be that they can access only one of our Production VLAN's within our network, and be blocked from the rest.
Our network design is as follows: VPN clients connect to our ASA appliance using Cisco VPN client. The ASA is then configured to use TACACS+ and send the authentication requests for VPN users to our Cisco ACS server. The ACS server is then configured to query Active Directory for the user. If the provided user credentials are correct, and match Active Directory, then TACACS+ allows the connections.
I think I can configure the scenario as follows:
I will have to create a user in Active Directory for the specific account. Then somewhere on the ASA (perhaps in dynamic Access rules?) i will create a rule or profile that allows the user to see our VLAN 6 but no others.
I would appreciate any input or instruction with respect to this.
Thank You in advance.