Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
1
Replies

RA-VPN Profiles | Multiprofiles | DL Authentication | ACS 5.4

yogesh.suryawanshi
Level 1
Level 1

‎06-01-2014 04:20 AM - edited ‎03-10-2019 09:45 PM

Hi ,

 

Requirement is to configure RA-VPN users to authenticate with ACS 5.4.

However each profile needs to be mapped to separate DL within same AD.

Means user from DL "A" should be able to log in using profile "A" only not using profile "B". Even if he does, it should fail to authenticate

 User from DL "B" should be able to log in profile "B" only not the profile "A"...

RA-VPN gateway is Cisco ASA & as of now authentication is happening successfully but profile based DL restriction not working.

That mean , if by mistake user A connects to gateway with Profile "B" he gets logged as AD is a common Auth container..

 

To my info : There is no intelligence built between Cisco ASA & ACS 5.4 to know that from which profile authentication request has come in & even if it is their ACS wont know how to deal it.

 

Request someone guild how this can be achieved with ACS 5.4 if feasible...If not feasible how can this be achieved.

 

Yogesh

Labels:
0 Helpful
1 Reply 1

edwardcollins7
Level 1
Level 1

‎06-02-2014 12:25 AM

Yogesh,

Correction to this:

"To my info : There is no intelligence built between Cisco ASA & ACS 5.4 to know that from which profile authentication request has come in & even if it is their ACS wont know how to deal it."

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-557971

Tunnel group will be connection profile:

Tunnel Group Name (146)

What do you mean by DL?

http://www.networksa.org/?p=360 - The group lock functionality.

Club the incoming attribute tunnel group with the return attribute and you got what you need.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

 

0 Helpful
Customers Also Viewed These Support Documents