Re: Seperation of users in ACS for usage of WebVPN and IpSec

JOOST HAGE · ‎05-04-2004

Hi,

I'm trying to regulate access of ACS groups to a concentrator: 1 group should only have WebVPN access, another should be able to also use Ipsec.

I've tried using user-assigned filters, access-times, group-locking, all to no avail.

I don't think I can use NARs (after all, the authenticating client is in both cases the same concentrator), and for one reason or another, when I apply authorization: Radius it doesn't seem to change anything, while if I then check the 'require authorization' box all access fails (yes, I've defined a Radius Authorization server).

Any thoughts?

Grtz, Joost

mchin345 · ‎05-10-2004

This document might give you some idea, discusses about user group management through ACS

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/g.htm

JOOST HAGE · ‎05-10-2004

Hi,

Thanks for the follow-up, but it's still unclear to me which option I should choose. What could be the defining factor that enables me to permit/deny groups to use either WebVPN or IpSec

NotMeHere · ‎05-19-2005

Ditto..

I would also like to know how to control WebVPN via groups in ACS. However I'd like to be able to assign what services users can get to through WebVPN via ACS groups. Any ideas?

malomairy · ‎05-23-2005

We have a similar configuration, were we enabled IPSec and WebVPN services and all users authentications are going through ACS, however note that SVC can't be controlled from the ACS internal groups must be configured on the VPN concentrator, now if you want to control the Access service, use Group locking using Class 25 (i.e. OU=groupname;)

use [3076\011] CVPN3000-Tunneling-Protocols, for required tunnel protocol (i.e. WebVPN or IPSec or both).

Make sure that RADIUS Auth. is set at the top in the VPN concentrator auth. servers

Good Luck

M. Alomairy

Malomairy@hotmail.com