Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
0
Replies

VPN and multiple "dynamic" access lists (ASA + ACS)

Patrick Tran
Level 1
Level 1

‎06-03-2014 06:44 AM

Hi, 

We have different external users which need different access list in our company network. 
They are connected to our company network with VPN through Cisco ASA.
Those users are together in LDAP groups.
For example: LDAP-Group1 needs ACL 1 and LDAP-Group2 needs ACL2

Scenario 1: Filter-ID 
We configured ACL1 and ACL2 on ASA.
ASA delegate authentication and authorization to ACS
ACS validate user authentication then checks user's groups in LDAP server
If user is in LDAP-Group 1 then ACS sends to ASA RADIUS attribute "Filter-ID" with "ACL1" value. 
ASA permits VPN session and applies ACL1 to user's session

Scenario 2: Downloadable ACL
We configured ACL1 and ACL2 on ACS (as dACL).
ASA delegate authentication and authorization to ACS
ACS validate user authentication then checks user's groups in LDAP server
If user is in LDAP-Group 1 then ACS sends to ASA Downloadable ACL with "ACL1" value and content. 
ASA permits VPN session and applies ACL1 to user's session.

Those 2 scenario work great if you want to apply dynamic ACL on VPN sessions.

If the user is member of LDAP-Group1 and LDAP-Group 2, I want to send ACL1 + ACL2...
How could I do?
I can't select 2 DACL or 2 Filter-ID

Thanks for your help,

Patrick

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents