Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
0
Helpful
3
Replies

Multiple VPNs in ACS 5.2

akaradum
Level 1
Level 1

‎12-27-2010 04:07 AM - edited ‎03-10-2019 05:40 PM

Hi,

I'm trying to setup a system like this. I've to vpn groups defined in the router. Authentication is done via 5.2

My question is, how can i lock a vpn group to a user group in ACS so that a user cannot connect to vpn if trying to connect from the other vnp.

VPN1 - ACS group 1 - user 1

VPN2 - ACS group 2 - user 2

lets say, user 2 shouldn't be authenticated even if he has the credentials of the vpn1.

is it possible? if so how?

Thanks a lot in advance

Ant

Labels:
0 Helpful
3 Replies 3

Eduardo Aliaga
Level 4
Level 4

‎12-27-2010 03:34 PM

That depends on what you're trying to do. Let me understand. How do you plan to differentiate the users of VPN1 from the users of VPN2 ? Do you want some group of users to use only VPN1 and other group of users to use only VPN 2. Is that right ?

You say both VPN are done in the same router ? what's the difference between VPN1 and VPN2 ?  could you please paste your configuration ?

Please give more information so we can help you out.

0 Helpful

akaradum
Level 1
Level 1
In response to Eduardo Aliaga

‎12-29-2010 06:07 AM

Hi Eduardo,

I've attached the config (where xx.xx are the real IPs that needed to be hidden for security purposes)

Yes you've got the structure right. Group 1 users should only user VPN1 and shouldn't be authorized when they try to use VPN2 even if they have the VPN2' information. So, I need to associate VPNs with groups of the ACS.

As far as I've seen in the config file, the only difference seems to be vpn names between those vpns. is there a way to fetch that information?

Also, weird is that this config doesn't try radius auth if tacacs auth fails. So, I've moved all auth to tacacs in the ACS. I can succesfully authorize the users of various groups through these VPNs, so that part is working. What i need is a way to differenciate which vpn they are using when connectiong to the ACS so that i can grant access or deny it. (I've heard of a vpn lock thing, though all information about that is on vpn 3000 concentrators, couldn't implement it to here)

Preview file
49 KB
0 Helpful

akaradum
Level 1
Level 1
In response to akaradum

‎12-31-2010 04:42 AM

As an update

I've tried cisco-av-pair = ipsec:user-vpn-group: VPN1

doesn't work. is there a way to check for the incoming call' isakmp profile name in ACS?

I've taken a good look at debug. it says "id:VPN1" (or VPN2 based on which vpn profile I've tried to connect from) when the tunnel gets up.

0 Helpful
Customers Also Viewed These Support Documents