ACS + ASA + VPN + Certificates problem

Unanswered Question
Jun 30th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Normale Tabelle"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Hi CSC Team,

I´m currently struggling with a problem concerning VPN logins. To be honest I´m not if this problem can be solved.

My setup looks like the following:

ACS Server 4.2 for AAA

ASA 8.2 as VPN endpoint

Cisco VPN Client

The VPN Client connects to the ASA using certificates, based on the certification map the ASA assigns a vpn tunnel-group, in this tunnel group AAA is configured using radius of the ACS.

When the user is authenticated dACL are downloaded etc. this works perfect.

What I now need is, if the same User logs in with another certificated from the ASA should assign a different tunnel group and should do AAA again against the ACS Server but should then get a total different set of dACL.


User A – connects to ASA1 – gets Tunnel group VPNCLient – AAA dACL from ACS1 = permit ip any any

User A- Connects to ASA1 – gets Tunnel group Smartphone – AAA dACL from ACS1= permit tcp any host x.x.x.x eq 80

I hope some has an Idea how to solve this, thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion

Related Content