VPN users authorization

a.hajhamad · ‎01-11-2011

Dear Friends,

I have two VPN concentrators and ASA 5580 appliances and i'm using both platforms for IPSec VPN termination and also we installed Cisco ACS 5.2 appliances.

My question is:

what is the best way can i do the authorization (where the users can access inside our internal network) into the new ACS 5.2 appliances? i.e. is the downloadable ACL is good option or do you prefer another method?

It is better if we can use the DACL and mapped to the user so when we delete the user its own DACL will also be deleted automatically

Thanks in advance

Bernardo Gaspar · ‎01-12-2011

Hello,

Yes, dACL is a good option to have ACL's dynamically assigned to users. For more info on how to configure it on ACS 5.2, you can refer to the following:

http://cco.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html#wp1053438

Hope it helps.

Best regards,

Bernardo

a.hajhamad · ‎01-12-2011

Hello,

thanks for your response.

Can i add the DACL option inside the user as a field or i need to creat a new DACL --> authorization Profile --> authorization Policy?

if the second option how can i map the authorization policy to the user or the group?

Thanks

marioderosa2008 · ‎01-13-2011

Hi,

do you know if it is possible to restrict network access without using ACS?

I.E. can I use an LDAP server for VPN authorisation to restrict user VPN access?

Will Windows 2003 be able to do this?

Thanks

Mario

andamani · ‎01-13-2011

Hi Mario,

Do you mean restriction of network after the VPN users are authenticated?

If yes, you can do it by configuring DAP.

Here is the link for DAP:

http://www.ciscosystems.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml#intro

Hope this answers your question.

Regards,

Anisha

P.S.: please mark this thread answered if you feel your query is answered.