Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Associate remote users with specific VPN Profiles

Hi,

we currently use CiscoSecure server to authenticate our remote users against an RSA database.

We have set-up different .PCF files corresponding to the VPN groups on our firewall. So, a particular Profile is only allowed access to certain parts of the network. Then we give the PCF file to the relevant users(s).

This all works fine. However, there is nothing to stop a user obtaining and using a PCF file (e.g. from a colleague) with access to more areas of the network than we want to allow them to. i.e. the PCF files are not tied down to specific users.

Is there anyway this can be achieved with our existing set-up? Can we specify specific users from our Cisco Secure/RSA database are tied down to particular VPN profiles on our firewall?

Any suggestions on the best way of achieving this would be welcome.

9 REPLIES
Hall of Fame Super Blue

Re: Associate remote users with specific VPN Profiles

Hi

What you could do is use per user downloadable acl on your Cisco secure ACS server. When each user authenticates the firewall downloads a per user acl and adds it to the access-list on the outside interface.

HTH

Jon

New Member

Re: Associate remote users with specific VPN Profiles

Hi,

thanks for the suggestion, it sounds interesting.

I'm not familiar with the per user downloadable ACLs - do you have any more info on that and how to implement them?

(I'm a bit of a novice in general when it comes to the ACS server!)

Thanks.

Hall of Fame Super Blue

Re: Associate remote users with specific VPN Profiles

Sure, could you let me know what version of the ACS server you have so i can dig out some docs and also ensure your version supports downloadable acl's.

Jon

New Member

Re: Associate remote users with specific VPN Profiles

We have v4.1

Hall of Fame Super Blue

Re: Associate remote users with specific VPN Profiles

Okay v4.1 does support downloadable acl's.

What happens is that once your user has been authenticated via the ACS server your VPN device then receive a per-user or per-group ( it's up to you ) acl that is "added" to the existing access-list on the outside interface of your firewall. Assuming you are using a pix or ASA device you would apply your outside access-list (acl_outside in this example) with the following line in the config

access-group acl_outside in interface outside.

For downloadable acl's to work you need to amend this line to

access-group acl_outside in interface per-user-override

This allows the firewall to add the additional per user access to the outside access-list.

If authentication is already working off your firewall then the above is the only change you should need to make.

As for your ACS server, attached is a link on how to configure downloadable acl's that should get you started

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fe.html#wp892391

HTH

Jon

New Member

Re: Associate remote users with specific VPN Profiles

Thanks, I'll have a look at the info you've supplied.

New Member

Re: Associate remote users with specific VPN Profiles

one of the ways to do this is to download the user group policy profile from the acs when the user logon .

New Member

Re: Associate remote users with specific VPN Profiles

Thanks - do you have any more info on how to achieve this?

New Member

Re: Associate remote users with specific VPN Profiles

I am looking for a similar solution with the authentication used is Microsoft Active Directory through Microsoft IAS Radius server.

Any solution to tie down a user to specific profile?

295
Views
9
Helpful
9
Replies
CreatePlease to create content