12-07-2011 08:05 AM - edited 03-10-2019 06:36 PM
Greetings all!
I'd like to ask you guys, if you ever had to configure a deploy in the way my client wants.
We're using Cisco Secure ACS 5.2 as a Proxy AAA server, using Active Directory as an External Identity Store. They are already synced and connected and thus I can login into the VPN using my Domain credentials.
But that's not enough. My client needs to limit who can and can't establish VPN session, I mean, the way it is now, EVERY single employee can do that if his/her credentials are valid in the Active Directory domain controller. So I need to do two things:
1) Using the Microsoft NPS server, via dialin attribute, allow or deny VPN sessions using ACS/ASA;
2) Using the company user credential attribute to identify which Authorization Group the requesting user should be in, Downloadable ACLs will then be applied according to the access policies created for each company.
I've looked for documentation in the Cisco portal but couldn't find anything really useful. Can anyone help me out?
Thanks in advance!
Regards, Dan
12-08-2011 07:30 AM
Ok! I've managed to get the 'company' attribute working and use it to trigger the various Group Mapping >> Authorization Profiles I have configured in the ACS.
The remaining problem is the 'msNPAllowDialin' attribute. Is there any way to do this check on ACS 5.2? I heard it's a bultin check on version 5.3 but I'm afraid to upgrade since I've seen many many issues here on the NetPro forums regarding this new version.
Any thoughts on this one?
Thanks once more!
Regards, Dan
12-08-2011 09:07 AM
You can create a compound condition in your authorization policy. The compound condition can use any AD attribute you configured.
12-08-2011 09:32 AM
Hey Nicolas!
Thanks for your reply! Unfortunately I don't know how to make a compound condition using the 'msNPAllowDialin' attribute. Using the 'company' attribute I was able to do a compound condition, since the ACS actually gets that from the user credentials, see the picture attached.
When I create the 'msNPAllowDialin' attribute the reports says:
24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
24458 Not all Active Directory attributes are retrieved successfully
Besides the logic type of the 'msNPAllowDialin' attribute is Boolean and I can't create a compound rule using this type, only String, IPv4 Address and Unsigned Int 32bits types are available. I've tried setting it to String and Unsigned Int but the error messages is the same.
Any other suggestion?
Thanks again!
Regards, Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide