I'm trying to find a more simplified approach on how to manage my RSA token assigned users for VPN access. This is my first time working with RSA. I want to be able to go to the RSA server and create a user, assign a token, and a group. When I do that I want ACS to dynamicaly assign that user to the same group when they initially authenicate, I've tried with no success. Ultimate goal would be to give them a prepackaged client, assign the token in RSA Ace, and create the groups with restrictions on the ACS. I just need the user to fall into the correct group when they login.
It is not possible as far as I am aware to dynamically add users to multiple groups. Also be aware that if you change which group users are dynamically added to then users already added will be deleted.
The most efficient way to use this feature would be to choose the group with most users in and apply it to that.
Actually that doesn't really answer my question. Let me try to explain.
I create a user in Human Resources group in ACE server. I want to then go to ACS server and create a group called Human Resources with ACL policy. Obviously I cannot assign this user to the group because he/she does not exist in ACS yet. I want to give the user a VPN client package and thier token. When they log in for the first time I want the ACS server to look up the user in ACE and assign them to the same group that ACE has them in, In this example it's human resources.
IMHO there is no fixed 1:1 relationship between VPN users and groups in ACS. At least for VPN group locking the group assignment in the ACS user dialog does not do "group locking". If you do not make further restrictions (NAR etc.), other users (for example dial in users) could be used for VPN authentication and so on.
But you can lock your VPN users by using the Radius attribute 025, for example
Maybe this group locking will assign the ACE user to the right group when you have the chance to set up this radius attribute in the ACE user database. I do not know if this can be done.
If you can define your own attributes in ACE (and ACS will fetch this informations from ACE): Perhaps there are other attributes which may be helpful if 025 does not help.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...