Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Per-user automafic access rights (for all protocols) with single Win logon?

Is it possible for users logging on to a NT Domain or Active Directory to be automatically allocated certain access rights through a Pix for the duration of their session logged into their workstation? I know that something close to this can be done for outgoing Telnet, FTP and HTTP if the user logs into the Pix directly, but I am looking for a way to do this for any or all protocols with a single log on (the standard Windows logon). This will certainly need some sort of external software to do - does anyone know of anything suitable? (A similar thing is possible with the NetGuard GuardianPro using its 'Authentication Client' but this still requires a separate logon to the authentication client software).

4 REPLIES
New Member

Re: Per-user automafic access rights (for all protocols) with si

Cisco Secure ACS should be able to provide yo uwith the service yo uare looking for. It has the ability to use the Domain SAM or AD as an external datbase and authorize againist it.

New Member

Re: Per-user automafic access rights (for all protocols) with si

Thanks, I'll look it and see if it does.

To put it another way, the software will need to dynamically update the security settings on the Pix for that user's workstation's IP address for the duration of the user's session on the workstation.

New Member

Re: Per-user automafic access rights (for all protocols) with si

Looks like Cisco Secure ACS won't do it. I've read the PDF manual and, as far as I can see, Cisco Secure ACS can accept authentication/authorization requests supplied to it from an 'AAA client' (such as a Pix or router). However, I need the authentication/authorization request to come from the action of a user logging on to a NT/2000 workstation that is a member of a Domain or Active Directory. In turn, the act of logging on to the workstation will provide customised, per-user (or per-group), outgoing access controls for that user (on that workstation). Does that make sense?

I guess what I need is a tool that will allow NT Domains or Active Directory to communicate with Cisco Secure ACS as if they were an AAA client (such as a Pix, or a standard RADIUS or TACACS+ client). The tool must look for logons and logoffs to the Domain and translate those to RADIUS/TACACS+ messages to Cisco Secure ACS.

New Member

Re: Per-user automafic access rights (for all protocols) with si

I have been battling with the same problems for some time now. And you are right with regards to the Cisco Secure ACS not able to accept request from user directly.

I am quite intrested in a solution to this as my users are not very happy having to log on twice when I enable AAA for the Pixfirewall. There must be a way round but I have yet to find it. If there is a tool out there can someone help.

91
Views
0
Helpful
4
Replies
CreatePlease to create content