Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
0
Helpful
1
Replies

Proxy authentication

epekou
Level 1
Level 1

‎09-28-2007 05:07 AM - edited ‎02-21-2020 10:19 AM

I have the following topology. R1 with firewall features, R2 and ACS belong to Customer A, while R3 with firewall features and VPN concentrator belong to Customer B.

User--Internet--R1FW---R2--R3FW--VPNConcentrator |

ACS

The requirement is for User which is a mobile user of Customer A to connect to Customer?s B VPN concentrator and open a IPSEC connection using Cisco VPN client.

User must also be authenticated when entering Customer A network and I am considering proxy authentication. So, before opening the vpn client, the user will initiate an http connection to R1 and authenticate itself to the ACS server using a username/password. If authentication is successful, an entry will be downloaded to the R1 inbound access-list to allow traffic from the IP of the authenticated user to the IP of the VPN concentrator.

The problem is that Customer B needs to know the IP addresses of users with vpn clients so that it can allow only traffic from this IP passing through R3 FW.

Since this is a mobile user it can connect from different places so he does not use a single IP.

Here are my thoughts/questions to address this issue:

1. Is it possible to assign User with a static IP when authentication with the ACS along with proxy authentication?

2. Can I use NAT outside at R1 so I translate user IP to a static IP? Do you see any issue with this implementation?

3. Is there another solution to achieve the above: 1. authentication of mobile users and static IP assignment?

Thanks,

Evi

Labels:
0 Helpful
1 Reply 1

j.langton
Level 1
Level 1

‎12-13-2007 07:01 PM

Does the Concentrator have connectivity with Cust A's ACS server? I assume so. The best way to assign the remote client an IP address is to use an IP pool which is attached to the VPN user's group. Then Cust B would be able to build fw rules around this subnet. Be sure to use NARs to permit only authentication to the VPN and not any other RADIUS/TACACS+ clients. HTH.

0 Helpful
Customers Also Viewed These Support Documents