Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX, VPN client, ACS for UNIX (v2.3.6) and Network Access Restrictions

I would like to use extended authentication of IPSEC VPN client users on the PIX against ACS for UNIX (v2.3.6) using tacacs. My idea is to implement Network access restriction for specific group on tacacs ACS server - to allow authenticate on the PIX only users in specific group. I tried to configure for specific group something like:

refuse "system1.*\.acme.com" ".*" ".*"

allow ".*" ".*" ".*"

but, it doesn't work. Somewhere on the cisco.com is:

"Cisco Secure ACS for UNIX requires authorization to be set on the network access server for this procedure to work. This differs from Cisco Secure ACS for Windows, which only requires authentication to be set on the network access server."

Any idea?

crypto map MY-MAP client authentication MYTACACS

how to authorize the users?

Thanks

jm.

2 REPLIES
Bronze

Re: PIX, VPN client, ACS for UNIX (v2.3.6) and Network Access Re

Hi,

Go into the advanced section in the CiscoSecure GUI and edit the user or group; Click the root profile for the user.

In the menu select Filter and click Apply. Click the Filter (refuse) icon.; The Filter icon is now set on (refuse). Click on the filter tab for the filter menu .

In the "Nas:" box, enter the wildcard DNS name for one of the denied devices; ( as mentioned by you )

where you include such devices as system1a.acme.com, system1b.acme.com, etc. The ".*" is the UNIX wildcard, and the "\" protects the ".acme.com" from being wildcarded.

When finished adding the denied devices, click the root profile for the user. You will get an options menu. In this menu, select Filter and click Apply.

Click the Filter (refuse) icon. In the permission menu, select Allow, then click Apply. The Filter icon is now set on (allow). Click the icon again. Click the filter tab for the filter menu. Enter ".*" in all three boxes. Then submit

Hope this helps.

New Member

Re: PIX, VPN client, ACS for UNIX (v2.3.6) and Network Access Re

Hi,

ok, it's configured in this way on the ACS, and records in csuslog are:

May 2 14:06:01 server CiscoSecure: [ID 722389 local0.debug] DEBUG - Authentication - LOGIN successful; [NAS=pix, Port=0, User=jmvpn, Priv=1]

May 2 14:06:01 server CiscoSecure: [ID 930977 local0.debug] DEBUG - Authorization - Unauthorized NAS or PORT; [NAS = pix, user = jmvpn, port = 0, input: service=shell cmd* output: ]

acs profile for user vpn is:

refuse "pix" ".*" ".*"

allow ".*" ".*" ".*"

even though, pix allow connection for authenticated user,

but, I would like to refuse connection for the user jmvpn

regards

jm.

287
Views
0
Helpful
2
Replies
CreatePlease to create content