Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1087
Views
3
Helpful
6
Replies

User/Group based ACLs with VPN Concentrator 3005

Go to solution
Scott Cannon
Level 1
Level 1

‎07-26-2010 10:47 PM

Hi Guys,

I'm interested in implementing authorization (of sorts) on my VPN concentrator. Let me elaborate on my objectives. I would like a subset of my remote users to have access to certain systems on the network and the other users a different set of systems.

I'm hoping i can achieve this using ACLs based on group authentication however I cannot find where I might configure this.

I suppose I could assign the various groups a different DHCP scope and use my firewalls to achieve the same thing but this adds administrative overhead I would prefer to avoid.

Can anyone advise if my plan to use differnt ACLs based on group is viable, and if so how I configure this?

Thanks in advance

Rgds

Scott

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Todd Pula
Level 7
Level 7
In response to Scott Cannon

‎08-03-2010 07:02 AM

Here is the doc in .pdf format...

View solution in original post

Preview file
372 KB
0 Helpful
6 Replies 6

Go to solution
Todd Pula
Level 7
Level 7
In response to charlesdf22

‎08-02-2010 10:44 AM

You can also configure a static filter at the group level.  Please refer to the sample configuration below.

http://www.cisco.com/en/US/partner/tech/tk59/technologies_configuration_example09186a0080094eac.shtml

0 Helpful

Go to solution
Scott Cannon
Level 1
Level 1
In response to Todd Pula

‎08-02-2010 04:22 PM

Hi Todd,

I cannot access the document with my CCO. Looking at the URL its in the partner section. Perhaps you can email it to me? Or is it available elsewhere?

Rgds

Scott

0 Helpful

Go to solution
Todd Pula
Level 7
Level 7
In response to Scott Cannon

‎08-03-2010 07:02 AM

Here is the doc in .pdf format...

Preview file
372 KB
0 Helpful

Go to solution
Scott Cannon
Level 1
Level 1
In response to Todd Pula

‎08-03-2010 03:40 PM

Hi Todd,

Thanks so much. Looks like this will do the trick. Very much appreciated!

Cheers

Scott

0 Helpful

Go to solution
Scott Cannon
Level 1
Level 1
In response to charlesdf22

‎08-02-2010 04:21 PM

Hi Charles,

Thanks for that, an interesting read however I dont believe it is applicable to my situation since I dont use a Cisco RADIUS solution for AAA.

What I have is 3005's at the perimeter acting as the VPN end-pont. These end-points authenticate connections locally and do XAUTH via a RSA RADIUS server. There is a couple of ASA between the 3005s and the RADIUS servers however they dont do any AAA as such.

The document you've provided me with seems to indicate authorisation needs to be done on a Cisco device that can store the ACLs, and provides example for using ASAs. I would prefer to do it on the 3005s, if possible and leave the ASAs untouched (assume the rules on the ASA allow all traffic through, and access will be more tightly defined at the 3005).

If you have any suggestions/further documentation to support my desired setup I'm all ears.

Thanks in advance

Cheers

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents