I'd like to ask you guys, if you ever had to configure a deploy in the way my client wants.
We're using Cisco Secure ACS 5.2 as a Proxy AAA server, using Active Directory as an External Identity Store. They are already synced and connected and thus I can login into the VPN using my Domain credentials.
But that's not enough. My client needs to limit who can and can't establish VPN session, I mean, the way it is now, EVERY single employee can do that if his/her credentials are valid in the Active Directory domain controller. So I need to do two things:
1) Using the Microsoft NPS server, via dialin attribute, allow or deny VPN sessions using ACS/ASA;
2) Using the company user credential attribute to identify which Authorization Group the requesting user should be in, Downloadable ACLs will then be applied according to the access policies created for each company.
I've looked for documentation in the Cisco portal but couldn't find anything really useful. Can anyone help me out?
Ok! I've managed to get the 'company' attribute working and use it to trigger the various Group Mapping >> Authorization Profiles I have configured in the ACS.
The remaining problem is the 'msNPAllowDialin' attribute. Is there any way to do this check on ACS 5.2? I heard it's a bultin check on version 5.3 but I'm afraid to upgrade since I've seen many many issues here on the NetPro forums regarding this new version.
Thanks for your reply! Unfortunately I don't know how to make a compound condition using the 'msNPAllowDialin' attribute. Using the 'company' attribute I was able to do a compound condition, since the ACS actually gets that from the user credentials, see the picture attached.
When I create the 'msNPAllowDialin' attribute the reports says:
24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
24458 Not all Active Directory attributes are retrieved successfully
Besides the logic type of the 'msNPAllowDialin' attribute is Boolean and I can't create a compound rule using this type, only String, IPv4 Address and Unsigned Int 32bits types are available. I've tried setting it to String and Unsigned Int but the error messages is the same.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...