I have a scenario were we have two groups in the VPN 3005, group1 and group2. I also have two users, user1 and user2 who are authenticated in AD via the ACS. What I want to accomplish is to tie user1 with group1 and user2 with group2. For examle, if user1 gets hold of user2s account and password or user2s group2 id and password he will not be able to login. If something in this scenario is not clear please let me now.
In user1's profile on the ACS server, send back Radius attribute 25 (Class) in the form:
It's case-sensitive, and don't forget the semi-colon. The 3000 will receive this and put user1 into group1, regardless of what group they have configured in their VPN client.
I don't think you can actually stop user1 from logging in, but this way they'll always be in the correct group. If user1 does happen to get user2's username and password though, there's nothing you can do for this, since how does the 3000 now that user1 is actually sitting at the keyboard and using user2's username.
The VPN 3000 Concentrator has the ability to lock users into a Concentrator group which will override the group the user has configured in the VPN 3000 client. In this way, access restrictions can be applied to various groups configured on the Concentrator with the assurance that the users are locked into that group with the RADIUS server.
For more details on how to config it, check the following URL
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...