Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Secure ACS 5.2 and Microsoft NPS

Greetings all!

  I'd like to ask you guys, if you ever had to configure a deploy in the way my client wants.

  We're using Cisco Secure ACS 5.2 as a Proxy AAA server, using Active Directory as an External Identity Store. They are already synced and connected and thus I can login into the VPN using my Domain credentials.

  But that's not enough. My client needs to limit who can and can't establish VPN session, I mean, the way it is now, EVERY single employee can do that if his/her credentials are valid in the Active Directory domain controller. So I need to do two things:

   1) Using the Microsoft NPS server, via dialin attribute, allow or deny VPN sessions using ACS/ASA;

   2) Using the company user credential attribute to identify which Authorization Group the requesting user should be in, Downloadable ACLs will then be applied according to the access policies created for each company.

   I've looked for documentation in the Cisco portal but couldn't find anything really useful. Can anyone help me out?

Thanks in advance!

Regards, Dan

New Member

Secure ACS 5.2 and Microsoft NPS

Ok! I've managed to get the 'company' attribute working and use it to trigger the various Group Mapping >> Authorization Profiles I have configured in the ACS.

The remaining problem is the 'msNPAllowDialin' attribute. Is there any way to do this check on ACS 5.2? I heard it's a bultin check on version 5.3 but I'm afraid to upgrade since I've seen many many issues here on the NetPro forums regarding this new version.

Any thoughts on this one?

Thanks once more!

Regards, Dan

Cisco Employee

Secure ACS 5.2 and Microsoft NPS

You can create a compound condition in your authorization policy. The compound condition can use any AD attribute you configured.

New Member

Secure ACS 5.2 and Microsoft NPS

Hey Nicolas!

  Thanks for your reply! Unfortunately I don't know how to make a compound condition using the 'msNPAllowDialin' attribute. Using the 'company' attribute I was able to do a compound condition, since the ACS actually gets that from the user credentials, see the picture attached.

  When I create the 'msNPAllowDialin' attribute the reports says:

  24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.

  24458 Not all Active Directory attributes are retrieved successfully

  Besides the logic type of the 'msNPAllowDialin' attribute is Boolean and I can't create a compound rule using this type, only String, IPv4 Address and Unsigned Int 32bits types are available. I've tried setting it to String and Unsigned Int but the error messages is the same.

  Any other suggestion?

Thanks again!

Regards, Dan

CreatePlease to create content