vpn with RSA tokens

Unanswered Question
May 10th, 2010

Is there a to have the asa when people vpn in to the asa it will put them on there vlan used internal by authentication?

I am currently implementing the use of RSA tokens for vpn in access. it works with the protocal SDI. Currenlt i use an address pool for the vpn. everyone that logs in get put on the same address pool.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Mon, 05/10/2010 - 12:48


The only way I see to be able to put VPN users in their corresponding VLAN, is to assign them their corresponding IP address.


You have three VLANs:




So, you can have three VPN pools, to assign to the clients based on their profile.

They will receive an IP address depending on which profile they connect to (corresponding VLAN).

Is this what you want?


Nicholas Wysocki Mon, 05/10/2010 - 12:55

I know i would have to creat a logical interface per vlan. The host when logging in inside are assiged by dhcp /24. If i was to give the same address pool per vlan there might be duplicated ip's. But with trying to give all the empliyes one address to vpn on who would the asa know which pool to pool from? Is there any way to get info from the SDI server when they login?

sjbdallas Mon, 05/10/2010 - 13:01

The RSA server can't to that.  I think you'd need to use a RADIUS server to apply those attributes.

Have all your auth go against the RADIUS server and assign VLANs based on some attribute there (userid, IP they're coming from, etc)

Federico Coto F... Mon, 05/10/2010 - 13:04


Not sure if you can get those attributes from SDI server.

However on the ASA itself, you can force a VPN client to authenticate to an specific group and obtain the network information and all parameters from that specific group.


Nicholas Wysocki Mon, 05/10/2010 - 13:26

The Radius server is the SDI server as well, its built in. When i changed the aaa-server to use the radius part. the user name and password pops up but my credential did not work. I even tried putting the token number for the password. What is the config would be able to pull the group info and use as part of the assigment?


This Discussion