04-22-2010 08:33 AM
We have an Enterprise CA set up in our organisation and a Cisco 5550 ASA that is going to be used for VPN users. The ASA has the CA certificate installed, an indentity certificate issued by the CA and is retrieving the CRL from the CA. The ASA authenticates against a Cisco ACS server via IETF Radius.
We have two seperate groups of SSL VPN users. When they apply for a user certifcate from our CA we ask them to fill out the OU/Dpeartment field in their certifcate as either SSL_Support_Group or SSL_Test_Group
In the ACS server we have two seperate groups for these users. SSL_Support_Group and SSL_Test_Group. Both groups have the IETF [025] attribute ticked and both have the OU attribute set to the same as the OU specificied in the certificate (ie OU=SSL_Support_Group;).
In the ASA we have seperate SSL VPN Connection Profiles for both groups.
What we want to achieve is this. If a user logs into SSL VPN using a certificate that has the OU set to SSL_Support_Group but is in SSL_Test_Group in the ACS, then their login should be rejected. And vice versa.
At the moment if a user logs in with OU=SSL_Support_Group in their certifcate but OU=SSL_Test_Support in the ACS, then they are allowed to login but their policy is changed to SSL_Test_Group.
Is there a way to achieve what we are trying to do and if so how can we configure this?
04-22-2010 08:53 AM
I should also have mentioned that we have we have certificate to SSL VPN Connection Profile Maps configured for both groups.
for example
OU=SSL_Support_Group maps to SSL_Support_Group Connection Profile
04-30-2010 06:55 AM
Does anyone have any feedback on this or do I need to clarify what we are trying to achieve?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide