Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

group-lock for vpn users with acs

Hi,

Is there any way to controll what VPN profile a user is allowed to use through Cisco ACS, or the router?

Using 2811 router IOS ver 12.4, ACS 4.1

I just want to be sure that the VPN user can only use the Client Profile assigned to them and no other Group Profiles.

Example:

User123abc gets their hands on a co-wokers profile.

HR_User_Profile.pcf

SALES_User_Profile.pcf

User123abc belongs to HR department and should only be able to authenticate with HR_User_Profile. If User123abc tries to authenticate using the SALES_User_Profile access should be denied.

Any documentation explaining how to set this up?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: group-lock for vpn users with acs

The ASA will be your option. This has to be controlled by the group-policy, group-lock, tunnel-group and class values on ACS and ASA

4 REPLIES

Re: group-lock for vpn users with acs

Unfortunately the only kind of group lock that routers support is with local authentication. Having an ACS will not be a viable solution since the router will not understand the class attribute sent back from the ACS (if any). You will find out that the router has the option of group-lock but this will only work when the user is stored on the router DB.

New Member

Re: group-lock for vpn users with acs

Thank you for your reply.

Is it possible to acheive this with a Cisco ASA5510 or does this device have the same limitation as the router?

Are there any other scalable Cisco solutions for this?

(just guessing like changing to a PKI authentication or something else??)

I also found this doc, but do not plan to use VPN concentrator because its EOL.

http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

Thanks.

Re: group-lock for vpn users with acs

The ASA will be your option. This has to be controlled by the group-policy, group-lock, tunnel-group and class values on ACS and ASA

Bronze

Re: group-lock for vpn users with acs

Have you tried sending this "ipsec:user-vpn-group=XXXXXX" in cisco-av-pair?

This command was introduced. 12.2(13)T

If RADIUS is used for user authentication, then use the User-VPN-Group attribute instead of the Group-Lock attribute.

ipsec:group-lock=1

Group-lock

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1182957

The User-VPN-Group attribute is a replacement for the Group-Lock attribute...

If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to. The group the user belongs to is matched against the VPN group as defined by group name (ID_KEY_ID) for preshared keys or by the OU field of a certificate. If the groups do not match, the client connection is terminated.

ipsec:user-vpn-group=cisco

User-VPN-Group

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_easy_vpn_srvr_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1097654

983
Views
10
Helpful
4
Replies