Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Global HA VPN with Role based authentication?

I am struggling with a customer requirement...

They require a remote access VPN solution, which connects back to three locations -Scotland, London and New York (using ASA's or their existing PIX 515e's).

The users are geographically dispersed around the world, but with the majority in the UK and the US. The requirement has tow main aspects -

1)High availability - the users connect to primary location (i.e. Scotland) but if unavailable, they automatically connect to the secondary (i.e. London) and then to the tertiary (i.e. NY). I believe this can be achieved using the Cisco client software and specifying the three connections in order of preference.

2)'Role based' authentication and access privileges. Therefore if a standard user connects, they only get access to a limited set of applications i.e. mail and web, but if an Administrator connects they would get access to a much larger set of apps. What is the simplest way of achieving this? Can Cisco VPN integrate with the active directory profiles already in use? Would I need Cisco ACS? If so, would I need ACS in all three locations? Would SSL or IPSec be a more appropriate technology?

Thanks for any help.



Re: Global HA VPN with Role based authentication?

ASA/PIX does support active directory profiles, however for role based authentication to work you will need ACS. The ACS will be required on a single location however a backup ACS is recommended if primary ACS fails due to some reason. In your case I think SSL vpn will be good choice.