Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

User/Group based ACLs with VPN Concentrator 3005

Hi Guys,

I'm interested in implementing authorization (of sorts) on my VPN concentrator. Let me elaborate on my objectives. I would like a subset of my remote users to have access to certain systems on the network and the other users a different set of systems.

I'm hoping i can achieve this using ACLs based on group authentication however I cannot find where I might configure this.

I suppose I could assign the various groups a different DHCP scope and use my firewalls to achieve the same thing but this adds administrative overhead I would prefer to avoid.

Can anyone advise if my plan to use differnt ACLs based on group is viable, and if so how I configure this?

Thanks in advance

Rgds

Scott

1 ACCEPTED SOLUTION

Accepted Solutions

Re: User/Group based ACLs with VPN Concentrator 3005

Here is the doc in .pdf format...

6 REPLIES
New Member

Re: User/Group based ACLs with VPN Concentrator 3005

Re: User/Group based ACLs with VPN Concentrator 3005

You can also configure a static filter at the group level.  Please refer to the sample configuration below.

http://www.cisco.com/en/US/partner/tech/tk59/technologies_configuration_example09186a0080094eac.shtml

New Member

Re: User/Group based ACLs with VPN Concentrator 3005

Hi Todd,

I cannot access the document with my CCO. Looking at the URL its in the partner section. Perhaps you can email it to me? Or is it available elsewhere?

Rgds

Scott

Re: User/Group based ACLs with VPN Concentrator 3005

Here is the doc in .pdf format...

New Member

Re: User/Group based ACLs with VPN Concentrator 3005

Hi Todd,

Thanks so much. Looks like this will do the trick. Very much appreciated!

Cheers

Scott

New Member

Re: User/Group based ACLs with VPN Concentrator 3005

Hi Charles,

Thanks for that, an interesting read however I dont believe it is applicable to my situation since I dont use a Cisco RADIUS solution for AAA.

What I have is 3005's at the perimeter acting as the VPN end-pont. These end-points authenticate connections locally and do XAUTH via a RSA RADIUS server. There is a couple of ASA between the 3005s and the RADIUS servers however they dont do any AAA as such.

The document you've provided me with seems to indicate authorisation needs to be done on a Cisco device that can store the ACLs, and provides example for using ASAs. I would prefer to do it on the 3005s, if possible and leave the ASAs untouched (assume the rules on the ASA allow all traffic through, and access will be more tightly defined at the 3005).

If you have any suggestions/further documentation to support my desired setup I'm all ears.

Thanks in advance

Cheers

Scott

725
Views
3
Helpful
6
Replies