Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1145
Views
0
Helpful
4
Replies

ASA with 2 Remote Access VPN and 2 MS IAS

mattsmith
Level 1
Level 1

‎06-17-2011 11:42 AM - edited ‎03-10-2019 06:10 PM

We have a Cisco 5510 with 2 IPSec Connection Profiles each using a different IAS for authentication.

If we add another VPN profile we need another IAS.

With Cisco ACS can it be configured for different VPN profiles from the same ASA 5510?

Thanks...

Labels:
0 Helpful
4 Replies 4

Devashree Chakrabarti
Level 1
Level 1

‎06-17-2011 05:36 PM

Hello Matt

Yes, you can. You need to configure aaa-server (i.e. ACS server) and add them into different VPN profiles. The sample config will be :

aaa-server vpn protocol radius

aaa-server vpn host x.x.x.x

key

tunnel-group general-attributes

authentication-server-group vpn

tunnel-group general-attributes

authentication-server-group vpn

thanks

Devashree

0 Helpful

andamani
Cisco Employee
Cisco Employee

‎06-18-2011 08:31 AM

yup..

on the ACS you just need to add ASA as a AAA client.

on the ASA you can define this ACS server as the authentication server on as many tunnel-groups as you wish too.

Hope this helps.

Regards,

Anisha

P.S.:please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

mattsmith
Level 1
Level 1
In response to andamani

‎06-21-2011 08:37 AM

OK... Here is the requirement for VPN.

Each ASA Connection Profile requires a different windows group to authenicate.

So can the ACS be configured to know about the different ASA Connection Profiles.?

Thus assign the correct windows group using external auth?

Thanks

Matt

0 Helpful

Devashree Chakrabarti
Level 1
Level 1
In response to mattsmith

‎06-21-2011 08:56 AM

Hello Matt

Here you need to configure.

[1] Configure group mapping of AD-groups with ACS server, in such a way as

AD-1 ----> Group1 [acsgroup]

AD-2 ----> Group2 [acsgroup]

[2] Configure group-lock feature on ACS server i.e enable class attribute.

     - if you have 2 - tunnel-groups on ASA say tunnel1 and tunnel2

     - enable class attribute 21

     - Group1 (on acs server) - class attribute " OU=tunnel1; "

     - Group2 (on acs server) - class attribute " OU=tunnel2; "

How will it work ?

     - When user-A, who is a menberof AD-1, it will only connect to "tunnel1" as ACS has binded the AD-group with tunnel-group. This feature is known a Group-lock.

Check this doc :

     - https://supportforums.cisco.com/docs/DOC-1746

Let me know if it helps.

thanks

Devashree

0 Helpful
Customers Also Viewed These Support Documents