We have a 3030 running 4.6.x with a fairly simple configuration. Currently we have just one group configured on the concentrator into which all users are placed. We authenticate our users with a radius server. The radius server in turn gets authenticates the users against one of several different unix password files and/or Microsoft Active Directory instances. Users indicate where the radius server should look for their password by appending a realm to their username. For example the radius server looks for joe@math in the math departments active directory, fred@comsci in the computer science departments Unix password file.
Now I need to add a second group. This new group needs to be restricted so that users in this group are only authenticated against one specific password file. In other words the radius server needs to only use the chemistry password file for users of this group.
With other systems Ive worked with this is fairly simple. You configure the remote access device (the concentrator in this case) to remove any realm provided by the user and to append a hard-coded realm. This would ensure that anyone trying to use the new Chemistry group on the concentrator would have @chem appended to their username when it is sent to the radius server.
The thing is, I cant figure out how to do this with the VPN concentrator. I can strip the realm, but then I cant add a new one. If I use group lookup I could tell the users of the Chemistry group to append the @chem themselves, but then when a user of my default group appends their department (i.e. joe@math), the concentrator is going to try to find a group called math.
So, I feel kind of stuck. Any ideas, suggestions or solutions?
Do any of your uses not have to enter in a realm when they authenticate? If every other department has to enter a realm, and the Radius server sends them off to a specific user database based on that, then could you simply have the "chem" users not enter a realm at all, and have the Radius server authenticate non-realm'd users to your chem database. If one of your say, "math" users forgets to add their realm they'll be authenticated against the "chem" DB which will fail, they'll realise their mistake and add their "math" realm and get authenticated correctly.
Or you could set up a 2nd Radius server just for the "chem" users, and under their group on the VPN3000 add in that as an authentication server, that way only the "chem" users will authenticate against that Radius server.
Or, if thre's not too many "chem" users you could simply add them into the VPN3000 local database instead of the Radius DB, then set up the new VPN3000 group to authenticate off the local database.
None of these are great options, but as you said, you can strip the realm but you can't add a new one on unfortunately. Just throwing some ideas out there, maybe one of them'll stick :-)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :