CSACS 3.3 groups with different rights for same NAS?

jasonhumes · ‎11-24-2005

Hi

We have CSACS 3.3 setup to use our active directory as the external user database. We have two Active Directory groups, internet users and vpn users, mapped to CSACS groups with the same name. We have a pix 515e which is setup for authentication as users attempt to access the internet and we also use that same pix515e to terminate remote access vpn connections. The problem is that we only want certain users to be allowed to vpn into the pix and currently we cant figure out how to say "the vpn users group is the only group allowed to authenticate vpn requests" and "the internet users group is the only group allowed to authenticate internet users". How can we set this up so that the users in each group can only do what that group is for, or both if they are members of both groups. So, how can we tell the pix to use the vpn users group for vpn auth, and the internet users group, for internet access auth? This must be possible. Thanks.

darpotter · ‎11-29-2005

You need ACS 4.0

You can then create 2 Network Access Profiles (NAPs) one for each service (internet and VPN)... PROVIDED you can differentiate the two RADIUS requests - is there an attribute that can be used to decide?

Assuming there is, inside a NAP the authorisation policy can be used to deny access from the vpn group to the internet service. In the other NAP you deny access from the internet group to the vpn service.

Clear as mud? Look here for the online docs:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e984.html

jasonhumes · ‎11-29-2005

Hi

How can i generate two different radius requests? Also, it seems strange that there is no way for the current ACS3.3 to do this. To me it seems like a pretty basic feature, one NAS with different 'levels' of user access...a VPN user and an Internet user...hrmmm. Thanks for your help.

Jason