I'd like to ask you guys, if you ever had to configure a deploy in the way my client wants.
We're using Cisco Secure ACS 5.2 as a Proxy AAA server, using Active Directory as an External Identity Store. They are already synced and connected and thus I can login into the VPN using my Domain credentials.
But that's not enough. My client needs to limit who can and can't establish VPN session, I mean, the way it is now, EVERY single employee can do that if his/her credentials are valid in the Active Directory domain controller. So I need to do two things:
1) Using the Microsoft NPS server, via dialin attribute, allow or deny VPN sessions using ACS/ASA;
2) Using the company user credential attribute to identify which Authorization Group the requesting user should be in, Downloadable ACLs will then be applied according to the access policies created for each company.
I've looked for documentation in the Cisco portal but couldn't find anything really useful. Can anyone help me out?
Ok! I've managed to get the 'company' attribute working and use it to trigger the various Group Mapping >> Authorization Profiles I have configured in the ACS.
The remaining problem is the 'msNPAllowDialin' attribute. Is there any way to do this check on ACS 5.2? I heard it's a bultin check on version 5.3 but I'm afraid to upgrade since I've seen many many issues here on the NetPro forums regarding this new version.
Thanks for your reply! Unfortunately I don't know how to make a compound condition using the 'msNPAllowDialin' attribute. Using the 'company' attribute I was able to do a compound condition, since the ACS actually gets that from the user credentials, see the picture attached.
When I create the 'msNPAllowDialin' attribute the reports says:
24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
24458 Not all Active Directory attributes are retrieved successfully
Besides the logic type of the 'msNPAllowDialin' attribute is Boolean and I can't create a compound rule using this type, only String, IPv4 Address and Unsigned Int 32bits types are available. I've tried setting it to String and Unsigned Int but the error messages is the same.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :