Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
1
Replies

VPN Client authentication and authorization

Matthias.Ruhland
Level 1
Level 1

‎01-27-2005 05:09 AM

Hi,

I've a PIX 535 (6.3.4) with an ACS 3.2 in place. I'm using TACACS+ with external Windows User DB for authentication. I've installed the Cisco VPN Client 4.0.3F on my PC. When I connect to the PIX a logon windows prompts for user id and password. When I enter the Windows credentials everything works fine but

1. How can I permit and deny access generally and/or to specific ip addresses/address ranges based on the user id of the Windows-Domain ?

2. I can't see usernames in the accounting logs of the ACS.

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎01-31-2005 06:57 AM

You need to configure the pix for authorization and accounting, using the same ACS server that you do for authentication in order to do what you want. Note that you can use tacacs as the protocol for both. However the pix 6.1 versions and higher do support downloadable acls, however it requires the use of RADIUS instead of TACACS+. The benefits or downloadable acls is that you can configure them on the AAA server (which is ACS in your case) instead of on the pix unit itself.

Here are some helpful links:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Technologies:IPSec&s=Implementation_and_Configuration#Samples_and_Tips

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/config/index.htm

Let me know if you need any more help.

0 Helpful
Customers Also Viewed These Support Documents