I am attempting to setup individual admin accounts for customers to admin their VPN users, and ran into an interesting loophole. Under each user there is the Advanced settings where the NAR's are, and that user can access the other customers NAR's and gain VPN access to their devices. How can I restrict those users to only add/remove users under his group without showing the rest of the permissions?
I don't think so that is possible. Those admin users will be able to view all configuration for that user.
Read access to users in these groups.
Enables read-only access to users in the Editable groups.
When the Add/Edit users in these groups option is enabled, it overrides the settings in the Read access to users in these groups option.
If the Add/Edit users in these groups option is checked (enabled), it does not matter if this setting is enabled or disabled. The Add/Edit users in these groups setting overrides this setting, and the administrator can edit all users in the Editable groups.
If the Add/Edit users in these groups option is unchecked (disabled):
* Check this check box to grant the administrator read access to the users in the Editable groups. In this case, the administrator cannot submit changes.
* When unchecked, administrators cannot view users.
I think I know where you are going, but the admin user doesn't have access to users in the other groups, just in the group assigned, the problem I see is that under a user account, the other groups show up, and he can add a user to that group, and then that user would be able to log into the other groups VPN servers.
Where would I send in a feature request for this? I am a bit surprised it hasn't come up before. The ACS I am finding very useful for customer VPN's who don't have their own RADUIS server, and where we admin their firewall.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...