group-lock for vpn users with acs

Answered Question
Feb 11th, 2009

Hi,

Is there any way to controll what VPN profile a user is allowed to use through Cisco ACS, or the router?

Using 2811 router IOS ver 12.4, ACS 4.1

I just want to be sure that the VPN user can only use the Client Profile assigned to them and no other Group Profiles.

Example:

User123abc gets their hands on a co-wokers profile.

HR_User_Profile.pcf

SALES_User_Profile.pcf

User123abc belongs to HR department and should only be able to authenticate with HR_User_Profile. If User123abc tries to authenticate using the SALES_User_Profile access should be denied.

Any documentation explaining how to set this up?

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 9 months ago

The ASA will be your option. This has to be controlled by the group-policy, group-lock, tunnel-group and class values on ACS and ASA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Ivan Martinon Thu, 02/12/2009 - 09:25

Unfortunately the only kind of group lock that routers support is with local authentication. Having an ACS will not be a viable solution since the router will not understand the class attribute sent back from the ACS (if any). You will find out that the router has the option of group-lock but this will only work when the user is stored on the router DB.

fredj1234 Thu, 02/12/2009 - 10:06

Thank you for your reply.

Is it possible to acheive this with a Cisco ASA5510 or does this device have the same limitation as the router?

Are there any other scalable Cisco solutions for this?

(just guessing like changing to a PKI authentication or something else??)

I also found this doc, but do not plan to use VPN concentrator because its EOL.

http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

Thanks.

Correct Answer
Ivan Martinon Thu, 02/12/2009 - 10:09

The ASA will be your option. This has to be controlled by the group-policy, group-lock, tunnel-group and class values on ACS and ASA

ansalaza Fri, 02/13/2009 - 09:21

Have you tried sending this "ipsec:user-vpn-group=XXXXXX" in cisco-av-pair?

This command was introduced. 12.2(13)T

If RADIUS is used for user authentication, then use the User-VPN-Group attribute instead of the Group-Lock attribute.

ipsec:group-lock=1

Group-lock

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1182957

The User-VPN-Group attribute is a replacement for the Group-Lock attribute...

If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to. The group the user belongs to is matched against the VPN group as defined by group name (ID_KEY_ID) for preshared keys or by the OU field of a certificate. If the groups do not match, the client connection is terminated.

ipsec:user-vpn-group=cisco

User-VPN-Group

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_easy_vpn_srvr_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1097654

Actions

This Discussion