×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

One user per One Group

Unanswered Question
Jul 10th, 2003
User Badges:

I have a Concentrator VPN3015 (3.6.7), and I'm using IPSec Client 3.6. I have configured 3 groups with internal authentication, each group permit remote access an authentication RADIUS. This configuration works, but, one self user can belong to this 3 groups. I want to restrict one user to one group. for example, sales group only must permit sale's users, you don´t forget that all users are defined into the RADIUS Server.


How I do it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Thu, 07/10/2003 - 19:37
User Badges:
  • Cisco Employee,

you define an attribute on the Radius server for each user that specifies what concentrator group they belong to. That way no matter what concentrator group they configure in their VPN client, they'll be locked into, and get all the attributes of, whatever group is defined for them in the Radius server attribute.


See http://www.cisco.com/warp/public/471/altigagroup.html for details.

soylo Fri, 07/11/2003 - 16:16
User Badges:

I tested, but it didn't worked. I'm using ACE/SERVER Radius v5.0.01 from RSA. The authentication is OK. but, so far, I can't lock user into the group. Into the Radius, user's profile, I have defined Class OU=g_piloto; g_piloto match with the name concentrator group.


Please Help me.


Sergio

gmiiller Sun, 07/13/2003 - 14:17
User Badges:

Your issue here is that you have a single authentication means (and a common authentication database) for all 3 groups. Because all of your users are authenticated against the one source, if the users possess all of the different group files (profiles) they can authenticate in any of the groups defined on your concentrator.


You can get around this using radius/IAS. They way that you do this is:


define a different radius server by ip address for authentication on each of your groups.


On your radius server, define three different NAS's by IP address to represent your three groups on your concentrator. Set your IAS policies so that users from each NAS will ONLY be accepted if they are also a members of a WINDOWS group called (whatever you want the group called)


Create the 3 groups in your windows domain, and assign your users to them


NOW, the hard part is that between your concentrator and your windows IAS box, you have to perform a heap of network address translation so that the request from the VPN concentrator to the 3 "separate" radius ip addresses have destination NATed to the address of your windows IAS, whilst having source NATed to the 3 different group addresses. My network is a hybrid of routers/FW1/Pix/Gauntlet and Cyberguard, so I have a few ways of doing this, you'll have to make do with what you have. Also, watch out for Radius packet-level authentication, as this sort of thing can make it complain.

Actions

This Discussion