AAA, different groups, different roles, same equipment

Unanswered Question
Feb 14th, 2006
User Badges:

Hello,


I have a tricky authentication case to submit:


My users are on Active Directory in two groups

- VPN Users

- Network admins


The groups are mirrored (binded) in the ACS,


I have a PIX configured as a VPN server. Both the VPN users and the network admins are authenticated by ACS (Radius for VPN, and TACACS+ or Radius for admins).


I only want my network admins to be able to log on my PIX, and only my VPN users to be able to connect by VPN.



Here's the question:


how to you segregate those two groups so they only have access to whats permitted for them. NAR doesn't work because only the PIX does the requests....


Right now, as configured above, both groups can do everything.


thanks for you help


Antoine

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Wed, 02/15/2006 - 06:53
User Badges:
  • Silver, 250 points or more

Hi


Try this. In the vpn group create an IP based NAR that doesnt permit anything. This will get applied to any TACACS+ device admin type authentication.


In the admin users group, create a cli/dnis NAR that doesnt allow anything.



Generally, IP NARs get applied to TACACS+ and DNIS/CLI to RADIUS.


In theory a T+ login from a vpn user will get filtered and a RADIUS login from an admin user will get filtered.


The possible stumbling point is how ACS applies the NAR to RADIUS VPN authentications. It uses some tortuous logic, but generally:


if ip address in authen rq ---> apply ip filter

if no ip address ----> apply dnis/cli filter


fingers x'd the vpn auths dont include framed-ip-address!!


Dont think even ACS v4.0 helps a huge amount, because network access profiles (NAP) are RADIUS only.



Darran


Actions

This Discussion