vpn authentication and authorization using pix 7.2 and acs - Page 2

diptanshusingh · ‎03-10-2007

hi , i am using a pix 7.2 and acs 3.2.. i want to perform remote access vpn authentication n authorization thrgh aaa using radius..i am abl to use it when i am using local group policy on pix, but i am nt able to do it using acs. i was trying to use cisco avpair to send the parameters but its nt happening.some body please tell me the steps to proceed .

Vivek Santuka · ‎03-16-2007

Hi,

Group mapping would really not be the answer for your problem.

What you will have to do is configure NARs on all groups of ACS which do not need access to the pix. On the NAR deny access to the pix.

Regards,

Vivek

dpatkins · ‎03-16-2007

And setting up the NAR will allow me to use group mapping as well?

I am told that Dynamic ACLs are the way I need to go because if the person who is not on the NT Group logs into the VPN and is part of the default group, then they will be authenticated to the Pix.

I think group mapping via NT and ACS are hosed and authorization in radius is not working as described.

Thanks

Dwane

Vivek Santuka · ‎03-16-2007

Hi,

Dynamic ACLs will allow the user to get in but at max you can stop him from going anywhere after logging in.

NAR will deny the user access to the vpn all together.

ACS is working as designed. We need to configure authorization as req. and that is what you can do using ACLs or NARs

Regards,

Vivek