User/Group based ACLs with VPN Concentrator 3005

Answered Question
Jul 26th, 2010

Hi Guys,

I'm interested in implementing authorization (of sorts) on my VPN concentrator. Let me elaborate on my objectives. I would like a subset of my remote users to have access to certain systems on the network and the other users a different set of systems.

I'm hoping i can achieve this using ACLs based on group authentication however I cannot find where I might configure this.

I suppose I could assign the various groups a different DHCP scope and use my firewalls to achieve the same thing but this adds administrative overhead I would prefer to avoid.

Can anyone advise if my plan to use differnt ACLs based on group is viable, and if so how I configure this?

Thanks in advance

Rgds

Scott

I have this problem too.
0 votes
Correct Answer by Todd Pula about 6 years 4 months ago

Here is the doc in .pdf format...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Scott Cannon Mon, 08/02/2010 - 16:22

Hi Todd,

I cannot access the document with my CCO. Looking at the URL its in the partner section. Perhaps you can email it to me? Or is it available elsewhere?

Rgds

Scott

Scott Cannon Tue, 08/03/2010 - 15:40

Hi Todd,

Thanks so much. Looks like this will do the trick. Very much appreciated!

Cheers

Scott

Scott Cannon Mon, 08/02/2010 - 16:21

Hi Charles,

Thanks for that, an interesting read however I dont believe it is applicable to my situation since I dont use a Cisco RADIUS solution for AAA.

What I have is 3005's at the perimeter acting as the VPN end-pont. These end-points authenticate connections locally and do XAUTH via a RSA RADIUS server. There is a couple of ASA between the 3005s and the RADIUS servers however they dont do any AAA as such.

The document you've provided me with seems to indicate authorisation needs to be done on a Cisco device that can store the ACLs, and provides example for using ASAs. I would prefer to do it on the 3005s, if possible and leave the ASAs untouched (assume the rules on the ASA allow all traffic through, and access will be more tightly defined at the 3005).

If you have any suggestions/further documentation to support my desired setup I'm all ears.

Thanks in advance

Cheers

Scott

Actions

This Discussion