Remote Access group authentication with VPN3060, ACS

david.williams · ‎01-06-2006

I want to configure authentication via ACS to ensure that users are using the correct client profile (some are more permissive than others, and I'd like to filter access in ACS). How can I configure ACS to check the group membership of a user when he's being authenticated via ACS?

gfullage · ‎01-08-2006

You can lock users into a specific group on the VPN3000 via ACS, that might be a better way to do it. Basically no matter what group the user has in their VPN client profile, they will be put into whatever VPN3000 group is specified in their ACS profile.

This works quite well where you can define a VPN3000 group with virtually no access to anything on the internal network, then distribute all your VPN clients with a profile connecting into that group. You then define specific other groups on the VPN3000 with specific network access, and then via the users profile on ACS you can lock them into that group, there's no way they can change it even if they change their VPN client profile.

Check out http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

for details.

If you don't want to do that specifically, you can specify ACL's and filters either on ACS and pass them down to the VPN3000, or define them on the VPN3000 and have ACS point to them. Check out http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094eac.shtml.

Hope that helps.

david.williams · ‎01-10-2006

Thanks, solution #1 is exactly what I wanted to do, I wasn't able to find it when I did a search, but I knew I could configure the group restriction somehow in ACS; I've configured other restrictions in ACS for wireless and dialup.