Assign radius server to specific VPN 3000 groups

Answered Question
Aug 31st, 2009

Last week, I assigned a test server Cisco ACS to act as the authentication and accounting device for a specific group on a Cisco VPN Concentrator 3060. When I looked at ACS, it appeared that not only the group was going there but others were passing through as well and using the defaults on the Cisco Secure ACS. Is there a way that I can ensure that only the traffic assigned to that specific VPN group will using the ACS server defined?

THank you

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 7 years 3 months ago

Hi ,

Not sure about your set up. But you need to set up group mapping so that only specific AD group can authentication.

In external db group mapping, map

ACS VPN group----->with<---- AD VPN group

All other combination should point to No access group.

Regards,

~JG

Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Mon, 08/31/2009 - 10:29

Hi ,

Not sure about your set up. But you need to set up group mapping so that only specific AD group can authentication.

In external db group mapping, map

ACS VPN group----->with<---- AD VPN group

All other combination should point to No access group.

Regards,

~JG

Do rate helpful posts

dpatkins Mon, 08/31/2009 - 11:35

JG,

I did have the group mapping, but while doing some testing with LDAP and ACS, I mapped two additional groups to prove that an upgrade was successful. I will set it back the All other combinations to no access group.

Let me test.

Dwane

dpatkins Mon, 08/31/2009 - 11:39

JG,

If I put an authentication and authorization server at a single group level, then shouldn't that group be the only one who utilizes that server?

Thanks

DWane

Jagdeep Gambhir Mon, 08/31/2009 - 13:28

Hi DWane,

Setting up single authen and author server in vpn3000 should work fine.

Regards,

~JG

Actions

This Discussion