I have a tricky authentication case to submit:
My users are on Active Directory in two groups
- VPN Users
- Network admins
The groups are mirrored (binded) in the ACS,
I have a PIX configured as a VPN server. Both the VPN users and the network admins are authenticated by ACS (Radius for VPN, and TACACS+ or Radius for admins).
I only want my network admins to be able to log on my PIX, and only my VPN users to be able to connect by VPN.
Here's the question:
how to you segregate those two groups so they only have access to whats permitted for them. NAR doesn't work because only the PIX does the requests....
Right now, as configured above, both groups can do everything.
thanks for you help