I have a Concentrator VPN3015 (3.6.7), and I'm using IPSec Client 3.6. I have configured 3 groups with internal authentication, each group permit remote access an authentication RADIUS. This configuration works, but, one self user can belong to this 3 groups. I want to restrict one user to one group. for example, sales group only must permit sale's users, you don´t forget that all users are defined into the RADIUS Server.
you define an attribute on the Radius server for each user that specifies what concentrator group they belong to. That way no matter what concentrator group they configure in their VPN client, they'll be locked into, and get all the attributes of, whatever group is defined for them in the Radius server attribute.
I tested, but it didn't worked. I'm using ACE/SERVER Radius v5.0.01 from RSA. The authentication is OK. but, so far, I can't lock user into the group. Into the Radius, user's profile, I have defined Class OU=g_piloto; g_piloto match with the name concentrator group.
Your issue here is that you have a single authentication means (and a common authentication database) for all 3 groups. Because all of your users are authenticated against the one source, if the users possess all of the different group files (profiles) they can authenticate in any of the groups defined on your concentrator.
You can get around this using radius/IAS. They way that you do this is:
define a different radius server by ip address for authentication on each of your groups.
On your radius server, define three different NAS's by IP address to represent your three groups on your concentrator. Set your IAS policies so that users from each NAS will ONLY be accepted if they are also a members of a WINDOWS group called (whatever you want the group called)
Create the 3 groups in your windows domain, and assign your users to them
NOW, the hard part is that between your concentrator and your windows IAS box, you have to perform a heap of network address translation so that the request from the VPN concentrator to the 3 "separate" radius ip addresses have destination NATed to the address of your windows IAS, whilst having source NATed to the 3 different group addresses. My network is a hybrid of routers/FW1/Pix/Gauntlet and Cyberguard, so I have a few ways of doing this, you'll have to make do with what you have. Also, watch out for Radius packet-level authentication, as this sort of thing can make it complain.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...