Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Bit of a senario here.

OK, I have been assigend a project with equipment that I dont think will do what they want it to.

1st. We have a single 3005 concentrator. We also have about 50 different remotre staff that need access to different resources, but all need the same resoures from our datacenter. ( email, etc.)

We have a core 4503 with supp 4 & 2-48 10/100/1000 blades in them. This is are core switch running to 2950T-24's in the closets. Network is partially routed out, (still in process of finishing).

On the 3005 can I limit where users 1-10 can go, and then limit where 11-20 go. etc. I found no spot for access-lists, and I am not sure if setting these lists on the 4503 is the right spot to do it.

In a nut shell I would like to restrict VPN users 1-10 to 10.0.16.0/23 and 10.1.20.0/23 while restricting users 11-20 to 10.3.1.0/23 and 10.0.16.0/23

and giving extended support laptops access to only 10.0.16.0/23

(10.0.16.0/23 Datacenter)

(10.1.20.0/23 Development area)

(10.3.1.0/23 QA area)

Can this be done?

2nd. We also have 2 as5350's not used in you standard fasshion. They are used for dialout with a product called dialout /ez. the 5350's are using RADIUS win2k against AD, VPN is doing the same. We have groups created accross different domains so they can have a single login.

If I were to install ACS, and set all devices to look to the server for AAA would I be shootong my self in the foot, or can I set the same types of groups as I have in AD. If you are not in the AD group then you get no access. Will this log everything? Right now I only get who connected to where, and when they disconnected. It does not show me where they went, where they were denied to or how long they were dialed into a client. or connected through the VPN.

Sorry if this doesnt make any sense, but if it does and you want to help me out, that would really be appriciated.

Thanks

Anthony

1 REPLY
Community Member

Re: Bit of a senario here.

Here is a document that describes how VPN 3000 Clients are authenticated on the concentrator and how the Concentrator uses User and Group attributes. http://www.cisco.com/warp/public/471/vpn_3000_auth.html

89
Views
0
Helpful
1
Replies
CreatePlease to create content