07-26-2010 10:47 PM
Hi Guys,
I'm interested in implementing authorization (of sorts) on my VPN concentrator. Let me elaborate on my objectives. I would like a subset of my remote users to have access to certain systems on the network and the other users a different set of systems.
I'm hoping i can achieve this using ACLs based on group authentication however I cannot find where I might configure this.
I suppose I could assign the various groups a different DHCP scope and use my firewalls to achieve the same thing but this adds administrative overhead I would prefer to avoid.
Can anyone advise if my plan to use differnt ACLs based on group is viable, and if so how I configure this?
Thanks in advance
Rgds
Scott
Solved! Go to Solution.
08-03-2010 07:02 AM
08-02-2010 03:53 AM
Something along these lines?
08-02-2010 10:44 AM
You can also configure a static filter at the group level. Please refer to the sample configuration below.
08-02-2010 04:22 PM
Hi Todd,
I cannot access the document with my CCO. Looking at the URL its in the partner section. Perhaps you can email it to me? Or is it available elsewhere?
Rgds
Scott
08-03-2010 07:02 AM
08-03-2010 03:40 PM
Hi Todd,
Thanks so much. Looks like this will do the trick. Very much appreciated!
Cheers
Scott
08-02-2010 04:21 PM
Hi Charles,
Thanks for that, an interesting read however I dont believe it is applicable to my situation since I dont use a Cisco RADIUS solution for AAA.
What I have is 3005's at the perimeter acting as the VPN end-pont. These end-points authenticate connections locally and do XAUTH via a RSA RADIUS server. There is a couple of ASA between the 3005s and the RADIUS servers however they dont do any AAA as such.
The document you've provided me with seems to indicate authorisation needs to be done on a Cisco device that can store the ACLs, and provides example for using ASAs. I would prefer to do it on the 3005s, if possible and leave the ASAs untouched (assume the rules on the ASA allow all traffic through, and access will be more tightly defined at the 3005).
If you have any suggestions/further documentation to support my desired setup I'm all ears.
Thanks in advance
Cheers
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide