Assign radius server to specific VPN 3000 groups

Answered Question
Aug 31st, 2009
User Badges:

Last week, I assigned a test server Cisco ACS to act as the authentication and accounting device for a specific group on a Cisco VPN Concentrator 3060. When I looked at ACS, it appeared that not only the group was going there but others were passing through as well and using the defaults on the Cisco Secure ACS. Is there a way that I can ensure that only the traffic assigned to that specific VPN group will using the ACS server defined?


THank you

Correct Answer by Jagdeep Gambhir about 7 years 9 months ago

Hi ,

Not sure about your set up. But you need to set up group mapping so that only specific AD group can authentication.


In external db group mapping, map


ACS VPN group----->with<---- AD VPN group

All other combination should point to No access group.



Regards,

~JG


Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Mon, 08/31/2009 - 10:29
User Badges:
  • Red, 2250 points or more

Hi ,

Not sure about your set up. But you need to set up group mapping so that only specific AD group can authentication.


In external db group mapping, map


ACS VPN group----->with<---- AD VPN group

All other combination should point to No access group.



Regards,

~JG


Do rate helpful posts

dpatkins Mon, 08/31/2009 - 11:35
User Badges:

JG,


I did have the group mapping, but while doing some testing with LDAP and ACS, I mapped two additional groups to prove that an upgrade was successful. I will set it back the All other combinations to no access group.


Let me test.


Dwane

dpatkins Mon, 08/31/2009 - 11:39
User Badges:

JG,


If I put an authentication and authorization server at a single group level, then shouldn't that group be the only one who utilizes that server?


Thanks


DWane

Jagdeep Gambhir Mon, 08/31/2009 - 13:28
User Badges:
  • Red, 2250 points or more

Hi DWane,

Setting up single authen and author server in vpn3000 should work fine.



Regards,

~JG


Actions

This Discussion