Re: VPN Users Authentication in ACS

From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Tue Mar 17 2009 - 11:40:29 ART

• Next message: Victor: "Fwd: Netflow V5 issue (Pls help)"
• Previous message: Farrukh Haroon: "Re: AAA NEW-MODEL"
• Maybe in reply to: Jose A. Arnau Alvarez: "VPN Users Authentication in ACS"
• Next in thread: Tyson Scott: "RE: VPN Users Authentication in ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Jose,

Currently on ACSv4.2, I am very confident there is no such support for what
you are trying to do. There is a similar functionality however, called
Network Access Filtering, which only performs policy manipulation based on
Access Device (previously configured), Access Device Groups, or NAS IP
Address. If you go to Shared Profile Components - Network Access Filtering,
you would see what I am talking about there. But AFAIK, that version of ACS
has no capabiliity to manupulate a username string and make policy decision.

ACSv5.0 has been designed to provide much more control in this regards with
very flexible NAF (aka Service Selection). You can perform network policy
service selection based on much more (literally all RADIUS and TACACS
attributes inbound to ACS, plus a few more criteria) and even the username
string. However, even at this, you can only do Equals, Not Equals, Starts
With, Ends With. Without any ability to perform string manupulation like you
would like to do.

HTH,
Sadiq

On Tue, Mar 17, 2009 at 12:01 PM, Jose A. Arnau Alvarez <jaral18@hotmail.com
> wrote:

> Hi everyone!
>
> I have some questions about the VPN users authentication in ACS. I have an
> ASA
> 5520 that performs functions of VPN concentrator, and
> authenticates users in an ACS 4.2. Users who connect uses a username
> like "userX@groupY" in the VPN client software prompt, and I would like
> the
> text string behind the @ is used
> in ACS in order to dynamically assign that user to the group of text
> string (Group Y). I don't know if this is possible with ACS, but I would
> like
> to know if anyone knows.
>
> Thank you very much and best regards.
>
> ---------------------
> ---------------------
> Jose A. Arnau Alvarez
> CCIE R&S #23051
> ---------------------
> ---------------------
>
>
>
>
>
> _________________________________________________________________
> ?Quieres saber csmo va a estar el clima maqana? Ingresa ahora a MSN
> http://tiempo.latam.msn.com/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

• Next message: Victor: "Fwd: Netflow V5 issue (Pls help)"
• Previous message: Farrukh Haroon: "Re: AAA NEW-MODEL"
• Maybe in reply to: Jose A. Arnau Alvarez: "VPN Users Authentication in ACS"
• Next in thread: Tyson Scott: "RE: VPN Users Authentication in ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART