Re: VPN authentication THROUGH BOTH ASA and 3000

netsec123 · ‎04-29-2007

Hi. We have a client that does NOT want to TOUCH their ACS 4.0 appliance EXCEPT to run reports. Is there a document out there that can instruct on how to configure BOTH the security appliances [ASA and CONCENTRATOR] as well as the ACS appliance? I'm having trouble finding one. :( Thanks in advance!!!!

darpotter · ‎05-01-2007

Sounds like your client has unrealistic expectations. How can you configure it to secure the VPN without touching it??

Generally for VPN you start with its own documentation to figure out what session provisioning it needs from ACS in terms of RADSIUS attributes.

You should find adding an ASA device into the ACS network config and then enabling its attributes (in interface config) will allow you to assign attribute values to ACS groups and users.

Alternatively VPN3000's often use LDAP for authorisation and the ACS in this case returns the RADIUS class attribute containing an "ou=blah blah..." value.

Lastly there's where to do the authentication, either inside ACS or externally via LDAP, AD, RSA etc. This may or may not require the ACS "unknown user policy" and external authenticator databases.

netsec123 · ‎05-01-2007

I'm sorry -- my bad; I'll rephrase... Once the ACS is configured to do "pass-through" authentication for users, the client does NOT want to have to access ACS to "add" new users. We can configure the ASA and the ACS as much as we want - I'm sorry for mis-phrasing.... My ?? centers on "how" to configure the ASA and ACS so that they pass authentication to the AD box... A user opens the Cisco client, which connects to the ASA. The ASA then takes the user and in order to authenticate, queries the ACS, which in turn queries AD for the username / password.... I hope that makes it a little clearer... :)