Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Per user controls on VPN with ACS

Thinking about something and looking for a way to possibly do this.

Currently, with the VPN 3000, you create the different groups and assign split tunnel lists and filters to that group. Then the client (remote user) is put into that group based on what group authentication they have in their VPN profile they are using.

Now I know there is a way to make per-user filters on the VPN but the user's account must be created and exist locally on the VPN. This won't work for me because we have a bunch of VPN concentrators in different places where the user could conenct to. Plus it would be impossible to manually maintain them all.

But what I would really like to do is somehow use the ACS to determine what filter to apply on a per-user basis when the remote user connects to the VPN.

I want to do it this way and not rely completely on group authentications for access control because there is no guarantee that the user is using the right profile.

Ideally, I'd like to have a single ONE profile with only one group authentication and permit the different users access to different parts of the network based on their username.

I know, for example, the PIX can do such dynamic per-user ACLs sent from the ACS in the form of RADIUS attributes - which is what I'm wanting to do. Or something similar. But that only applies to an http session using authentication proxy. I'd really like to do some sort of integrated ACLs based on a remote VPN user's credentials.

Any suggestions or ideas at all?

Cisco Employee

Re: Per user controls on VPN with ACS


There are couple of ways to solve your problem.

a. For the end users, you can give a single profile and authenticate them to the ACS server.

b. On the ACS server, you can specify a Class attribute (25) which will allow that user to put in a specific group. (But the group you are specifying should exist on the VPN head end device, in your case - VPN 3K)

c. On the ACS server, you can specify per user level downloadable ACL.

Note: I believe, you need to have some filter applied on the group settings on the VPN 3K which will be overridden by the ACS per-user level filter.

After connectivity, you can go to Monitoring | Dynamic Filter and check out if the filters are being downloaded.

Hope this explains your questions.

Rate this post if it helps.