cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1065
Views
0
Helpful
4
Replies

Configuring Multiple LDAP profiles in ACS 5.3 - Query

s.aliyarukunju
Level 1
Level 1

Dear Experts,

i am facing an issue with ACS 5.3 while trying to configure the RAIDUS authentication in ACS , for Remote VPN users.

I have created two different LDAP profiles ( 2 different Domain servers , one for customer A and other for customer B ) and created two Access Services ( Network access type) , CORP-VPN-CUSTOMER-A and CORP-VPN-CUSTOMER-B.

Each Access services is mapped with their respective LDAP profile for Identity and CN path for Authorization ( eg : CN=VPN-CORP,CN=Users,DC=abc,DC=local )

Note : Access Service for Customer A is created first and then created for Customer B.

Below are the points i noted during the time of VPN authentication testing.

1. While testing the VPN authentication for Customer A , it is hitting service selection for "CUSTOMER A".Mean it is trying to use LDAP for Customer A.So the test was successfull

2.While testing the VPN authentication for Customer B , it is still hitting  service selection for "CUSTOMER A".Mean it is trying to use LDAP for  "Customer A" instead of "Customer B" . So the test was failed.

3. I have disabled the Service Selection Rule for "Customer A" , and then trying to test the VPN authentication for Customer B. Itis hitting service selection for "CUSTOMER B" .Mean it is trying to use LDAP for Customer B.So the test was successfull.

Here how can we differentiate or make the authentication request to select particular LDAP profile for multiple customer  ?

Kind Regards

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Since Customer A and Customer B are connecting to two different tunnel-groups so you can define a compound condition for a new rule with the dictionary ‘RAIDUS-Cisco VPN 3000/VPN/ASA/PIX 7.x’ and the attribute ‘CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name  146 ‘ that will come in the radius access-request with the tunnel-group name. With this attribute you can differentiate the 2 different requests. If request is coming for CORP-VPN-CUSTOMER-A look in CUSTOMER A DOMAIN and if its coming for CORP-VPN-CUSTOMER-B look in CUSTOMER B profile.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

Since Customer A and Customer B are connecting to two different tunnel-groups so you can define a compound condition for a new rule with the dictionary ‘RAIDUS-Cisco VPN 3000/VPN/ASA/PIX 7.x’ and the attribute ‘CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name  146 ‘ that will come in the radius access-request with the tunnel-group name. With this attribute you can differentiate the 2 different requests. If request is coming for CORP-VPN-CUSTOMER-A look in CUSTOMER A DOMAIN and if its coming for CORP-VPN-CUSTOMER-B look in CUSTOMER B profile.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Were you able to follow the above suggested configuration? Did that help you to make any progress in this matter? Do let us know if you have any query or concern.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Hi Jatin,

Many thanks for your reply.

Actually here i am using 7600 router with SPA module ( easy VPN scenario) as VPN gateway.So here there are two SVI  in VPN gateway ( each for individual customer) with crypto applied.

The issue got resolved by matching the SVI IP of individual customer ( using device filter option in ACS under policy elements)  with the customer LDAP profile on service selection rule.

But your logic is also great and will be using this attribute method when i moved Remote VPN configuration to ASA.

Thanks again !

Jatin Katyal
Cisco Employee
Cisco Employee

Alright. Thanks for sharing your solution... Yup that can also be done. Have a nice day ahead.


Sent from Cisco Technical Support Android App

~Jatin