Secure ACS 5.2 and Microsoft NPS

Unanswered Question
Dec 7th, 2011

Greetings all!

  I'd like to ask you guys, if you ever had to configure a deploy in the way my client wants.

  We're using Cisco Secure ACS 5.2 as a Proxy AAA server, using Active Directory as an External Identity Store. They are already synced and connected and thus I can login into the VPN using my Domain credentials.

  But that's not enough. My client needs to limit who can and can't establish VPN session, I mean, the way it is now, EVERY single employee can do that if his/her credentials are valid in the Active Directory domain controller. So I need to do two things:

   1) Using the Microsoft NPS server, via dialin attribute, allow or deny VPN sessions using ACS/ASA;

   2) Using the company user credential attribute to identify which Authorization Group the requesting user should be in, Downloadable ACLs will then be applied according to the access policies created for each company.

   I've looked for documentation in the Cisco portal but couldn't find anything really useful. Can anyone help me out?

Thanks in advance!

Regards, Dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
danielfycosta Thu, 12/08/2011 - 07:30

Ok! I've managed to get the 'company' attribute working and use it to trigger the various Group Mapping >> Authorization Profiles I have configured in the ACS.

The remaining problem is the 'msNPAllowDialin' attribute. Is there any way to do this check on ACS 5.2? I heard it's a bultin check on version 5.3 but I'm afraid to upgrade since I've seen many many issues here on the NetPro forums regarding this new version.

Any thoughts on this one?

Thanks once more!

Regards, Dan

Nicolas Darchis Thu, 12/08/2011 - 09:07

You can create a compound condition in your authorization policy. The compound condition can use any AD attribute you configured.

danielfycosta Thu, 12/08/2011 - 09:32

Hey Nicolas!

  Thanks for your reply! Unfortunately I don't know how to make a compound condition using the 'msNPAllowDialin' attribute. Using the 'company' attribute I was able to do a compound condition, since the ACS actually gets that from the user credentials, see the picture attached.

  When I create the 'msNPAllowDialin' attribute the reports says:

  24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.

  24458 Not all Active Directory attributes are retrieved successfully

  Besides the logic type of the 'msNPAllowDialin' attribute is Boolean and I can't create a compound rule using this type, only String, IPv4 Address and Unsigned Int 32bits types are available. I've tried setting it to String and Unsigned Int but the error messages is the same.

  Any other suggestion?

Thanks again!

Regards, Dan

Actions

Login or Register to take actions

This Discussion

Posted December 7, 2011 at 8:05 AM
Stats:
Replies:3 Avg. Rating:
Views:1552 Votes:0
Shares:0

Related Content

Discussions Leaderboard