Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1598
Views
10
Helpful
4
Replies

group-lock for vpn users with acs

Go to solution
fredj1234
Level 1
Level 1

‎02-11-2009 03:17 PM - edited ‎03-10-2019 04:20 PM

Hi,

Is there any way to controll what VPN profile a user is allowed to use through Cisco ACS, or the router?

Using 2811 router IOS ver 12.4, ACS 4.1

I just want to be sure that the VPN user can only use the Client Profile assigned to them and no other Group Profiles.

Example:

User123abc gets their hands on a co-wokers profile.

HR_User_Profile.pcf

SALES_User_Profile.pcf

User123abc belongs to HR department and should only be able to authenticate with HR_User_Profile. If User123abc tries to authenticate using the SALES_User_Profile access should be denied.

Any documentation explaining how to set this up?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7
In response to fredj1234

‎02-12-2009 10:09 AM

The ASA will be your option. This has to be controlled by the group-policy, group-lock, tunnel-group and class values on ACS and ASA

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ivan Martinon
Level 7
Level 7

‎02-12-2009 09:25 AM

Unfortunately the only kind of group lock that routers support is with local authentication. Having an ACS will not be a viable solution since the router will not understand the class attribute sent back from the ACS (if any). You will find out that the router has the option of group-lock but this will only work when the user is stored on the router DB.

Go to solution
fredj1234
Level 1
Level 1
In response to Ivan Martinon

‎02-12-2009 10:06 AM

Thank you for your reply.

Is it possible to acheive this with a Cisco ASA5510 or does this device have the same limitation as the router?

Are there any other scalable Cisco solutions for this?

(just guessing like changing to a PKI authentication or something else??)

I also found this doc, but do not plan to use VPN concentrator because its EOL.

http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

Thanks.

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to fredj1234

‎02-12-2009 10:09 AM

The ASA will be your option. This has to be controlled by the group-policy, group-lock, tunnel-group and class values on ACS and ASA

0 Helpful

Go to solution
ansalaza
Level 1
Level 1

‎02-13-2009 09:21 AM

Have you tried sending this "ipsec:user-vpn-group=XXXXXX" in cisco-av-pair?

This command was introduced. 12.2(13)T

If RADIUS is used for user authentication, then use the User-VPN-Group attribute instead of the Group-Lock attribute.

ipsec:group-lock=1

Group-lock

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1182957

The User-VPN-Group attribute is a replacement for the Group-Lock attribute...

If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to. The group the user belongs to is matched against the VPN group as defined by group name (ID_KEY_ID) for preshared keys or by the OU field of a certificate. If the groups do not match, the client connection is terminated.

ipsec:user-vpn-group=cisco

User-VPN-Group

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_easy_vpn_srvr_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1097654

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents