The PIX is configured for remote access vpn.Mobile users use cisco vpn client software to connect and access the corporate network resources.
AAA Server is in place and is used in conjuction with xauth feature to authenticate the mobile users uing the cisco vpn client.The problem is that once any user is authenticated ( whether he is in customer support or management or Operations) he can access any part of the corporate network infrastructure.
How can i restrict this.One option is using multiple profiles on the PIX, but the users can easily install the .pcf file meant for other departments and are good to go.
What should i do ? I was wondering if i can use the AAA server already in place to do the authorization for the mobile users.What would be the configuration changes required on PIX to direct the mobile users to AAA for authorization.
Is your AAA server Cisco secure ACS server and if so what is the version of the software.
Depending on the above what you might be able to do is use downloadable access-lists (DACL) which are configured on the ACS server. So you can group your users into their respective departments and then when they authenticate that group get a specific access-list applied to the pix.
The groups could be configured on your ACS server or the ACS server could query your AD groups (if you have AD).
The documentation that you have provided is using the Cisco ACS Server.
I already have RSA ACE Server which provides TACACS Services.
What i want is Authorization for my remote Access VPN Clients.My only question is - Are there any configuraion lines that i need to specify in my PIX so that all remote access VPN Clients are authorised.
Also, the Authentication is already happenning using the same TACACS Services of the RSA box.
Remote access VPN authorization enable users to securely communicate sensitive information to networks and servers over the VPN tunnel, using LAN, wireless LAN and various dial-up including broadband connections.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...