I am trying to implement the following scenario and would like to know the best solution for me,
We have 2 groups of Remote VPN users 1) support 2)Operations both using Cisco client vpn to log in remotely to our site
1)When members of the support group VPN in, I want our Cisco ASA to give them an IP range from Pool A of Ip addresses and I want them to be authenticated using TACACS and then after successful authentication they are redirected to or only have access to Server A
2)When members of the Operations group VPN in, I want our Cisco ASA to give them an IP range from Pool B of Ip addresses I want them to be authenticated using TACACS and then after successful authentication they are redirected to Server A AND have full access to Servers B,C,D etc
On the ACS you create a 2 user groups and link them to their appropriate LDAP/Active Directory groups. Create a downloadable IP ACL on the ACS to DENY SUPPORT group access to servers B,C and D and then the OPERATIONS group will have access to all servers WITHOUT an IP ACL.
I'm making the assumption that you somewhat understand these features and configurations of these devices. I can elaborate more if needed later on. There are a couple of ways to make your scenario work but this is the first one that comes to mind.
Radius could be used to lock users into their appropriate groups as well.
thanks for your input. The thing with ACS is i doubt we will be willing to spend the thousands on it. The 2nd solution seems more within budget (FREE) so i will test and see i post my findings back here
Ive set up the following 2nd vpn to allow a support user Remote Access to only one server. The VPN connects ok and assigns the right VPN but when I try to RDP from the support laptop to the server nothing happens. The access lists arent getting hit so Im lost as to why not. Ive also added a static route on the server back to the Remote pool using a different Gateway (as this is in a test environment at present). Any ideas?
IP POOL for Remote user
ip local pool RA_VPN_SUPPORT 192.168.10.11 mask 255.255.255.255
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
For Split Tunnel -
access-list ACL_RA_VPN permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
This is possible, through ipsec conncection profiles. Within the ipsec connection profile realm you can set the IKE-Peer authentication to Pre-shared Key or Certificate based. Here you would choose also the user auth type which would be Tacacs in this case. You can also assign a separate dhcp pool for each group based on the membership of the vpn user. You can assign group policies to show a different login banner to each group and apply different filters that allow access to only the resources you want each group to have.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :