Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

RA-VPN Profiles | Multiprofiles | DL Authentication | ACS 5.4

Hi ,

 

Requirement is to configure RA-VPN users to authenticate with ACS 5.4.

However each profile needs to be mapped to separate DL within same AD.

Means user from DL "A" should be able to log in using profile "A" only not using profile "B". Even if he does, it should fail to authenticate

 User from DL "B" should be able to log in profile "B" only not the profile "A"...

RA-VPN gateway is Cisco ASA & as of now authentication is happening successfully but profile based DL restriction not working.

That mean , if by mistake user A connects to gateway with Profile "B" he gets logged as AD is a common Auth container..

 

To my info : There is no intelligence built between Cisco ASA & ACS 5.4 to know that from which profile authentication request has come in & even if it is their ACS wont know how to deal it.

 

Request someone guild how this can be achieved with ACS 5.4 if feasible...If not feasible how can this be achieved.

 

Yogesh

  • AAA Identity and NAC
1 REPLY

Yogesh,Correction to this:"To

Yogesh,

Correction to this:

"To my info : There is no intelligence built between Cisco ASA & ACS 5.4 to know that from which profile authentication request has come in & even if it is their ACS wont know how to deal it."

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-557971

Tunnel group will be connection profile:

Tunnel Group Name (146)

What do you mean by DL?

http://www.networksa.org/?p=360 - The group lock functionality.

Club the incoming attribute tunnel group with the return attribute and you got what you need.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

 

21
Views
0
Helpful
1
Replies