Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

699
Views
0
Helpful
0
Replies
Highlighted
Michael Dombek
Michael Dombek Beginner
Beginner
‎06-30-2010 05:33 AM
‎06-30-2010 05:33 AM

ACS + ASA + VPN + Certificates problem

Hi CSC Team,

I´m currently struggling with a problem concerning VPN logins. To be honest I´m not if this problem can be solved.

My setup looks like the following:

ACS Server 4.2 for AAA

ASA 8.2 as VPN endpoint

Cisco VPN Client 5.0.0.7

The VPN Client connects to the ASA using certificates, based on the certification map the ASA assigns a vpn tunnel-group, in this tunnel group AAA is configured using radius of the ACS.

When the user is authenticated dACL are downloaded etc. this works perfect.

What I now need is, if the same User logs in with another certificated from the ASA should assign a different tunnel group and should do AAA again against the ACS Server but should then get a total different set of dACL.

EG:

User A – connects to ASA1 – gets Tunnel group VPNCLient – AAA dACL from ACS1 = permit ip any any

User A- Connects to ASA1 – gets Tunnel group Smartphone – AAA dACL from ACS1= permit tcp any host x.x.x.x eq 80

I hope some has an Idea how to solve this, thanks in advance

Michael

Labels:
0 Helpful
Reply
Latest Contents
Stealthwatch Enterprise - what capabilities does it provide ...
Created by ben.greenbaum on 12-12-2019 11:27 AM
0
0
0
0
Threat Response integrates with Cisco Stealthwatch Enterprise (SWE) to provide Visibility into network threats. By adding an SWE module to Threat Response, investigators will be able to search for network flows to or from IP addresses that have been reco... view more
Monitoring Failover status (ASA Cluster, Active/Standby) by ...
Created by Oleg Volkov on 12-12-2019 02:26 AM
0
0
0
0
Hi.Want to know Failover cluster status? If You have PRTG do it in 5 min.Download my sensor.Deploy REST API to Your ASA,sAdd my sensor to PRTG and set parameters:In PRTG device settings add linux user and password (ASA user, which have read permissions)-u... view more
#CiscoChat Live: Consumer Perspectives on Data Privacy
Created by Kelli Glass on 12-10-2019 11:00 AM
0
0
0
0
Join us live on Thursday, December 12 at 10:00 am PT (and on demand after) for an in-depth look at the latest Cisco Cybersecurity report. The Cisco 2019 Consumer Privacy Survey shows consumers placing a greater premium on data privacy, providing comp... view more
#CiscoChat Live: Consumer Perspectives on Data Privacy
Created by Kelli Glass on 12-10-2019 10:55 AM
5
0
5
0
Join us live on Thursday, December 12 at 10:00 am PT (and on demand after) for an in-depth look at the latest Cisco Cybersecurity report. The Cisco 2019 Consumer Privacy Survey shows consumers placing a greater premium on data privacy, providing comp... view more
How to find/get the registration key from FTD
Created by Eahwar34 on 12-06-2019 03:14 AM
0
0
0
0
We are in need of finding registration key used for our FTD , unfortunately we have forget the key and also it is encrypted . How to find the key from FTD ?
CreatePlease to create content
Discussion
Blog
Document
Video