Paul, I think thats partly an answer but not all of it. I'm looking particularly at where an organisation is looking to ultimately authenticate against an NT domain, either directly from a VPN3000 or via ACS.
Now lets say that there are varous groups in your organisation - finance accounting etc, and you want to have groups defined on your RAS to reflect this - with different permissions/ACL's for different groups.
We can create the different groups on the VPN3000, but given that all these groups are authenticating to a common NT user database, any valid username/ password, in conjunction with a relevant group file, will get any user into any group. There is no way of confirming from the domain that the relevant user account is a member of that group (or that the group even exists in the domain)
Is there any way this can be done on one central server (NT or otherwise)? I was particularly wondering about ODBC and having usernames/passwords/group memberships defined in a table, however, from what I can see of the ODBC option, the default group parameter is only returned from the ODBC source after successful authentication, it's not actually part of the request passed to the odbc source.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...