From: Tyson Scott (tscott@ipexpert.com)
Date: Tue Mar 17 2009 - 11:49:33 ART
Jose,
One way or another you need to assign a user to a group. It would not be a
good security function to say that any user that says they are a part of
groupX should be allowed to do so.
You could pass the user string on to an external database, such as Active
Directory, or LDAP, and have them assign to ACS the user group they are a
part of and in ACS map that group assigned to the group you want in ACS.
It would not be a recommended security practice to assign users to groups
based on user requests. Thus the reason this would not be designed into
ACS.
Regards,
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: tscott@ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Tuesday, March 17, 2009 10:40 AM
To: Jose A. Arnau Alvarez
Cc: Grupo de Estudio CCIE
Subject: Re: VPN Users Authentication in ACS
Hi Jose,
Currently on ACSv4.2, I am very confident there is no such support for what
you are trying to do. There is a similar functionality however, called
Network Access Filtering, which only performs policy manipulation based on
Access Device (previously configured), Access Device Groups, or NAS IP
Address. If you go to Shared Profile Components - Network Access Filtering,
you would see what I am talking about there. But AFAIK, that version of ACS
has no capabiliity to manupulate a username string and make policy decision.
ACSv5.0 has been designed to provide much more control in this regards with
very flexible NAF (aka Service Selection). You can perform network policy
service selection based on much more (literally all RADIUS and TACACS
attributes inbound to ACS, plus a few more criteria) and even the username
string. However, even at this, you can only do Equals, Not Equals, Starts
With, Ends With. Without any ability to perform string manupulation like you
would like to do.
HTH,
Sadiq
On Tue, Mar 17, 2009 at 12:01 PM, Jose A. Arnau Alvarez <jaral18@hotmail.com
> wrote:
> Hi everyone!
>
> I have some questions about the VPN users authentication in ACS. I have an
> ASA
> 5520 that performs functions of VPN concentrator, and
> authenticates users in an ACS 4.2. Users who connect uses a username
> like "userX@groupY" in the VPN client software prompt, and I would like
> the
> text string behind the @ is used
> in ACS in order to dynamically assign that user to the group of text
> string (Group Y). I don't know if this is possible with ACS, but I would
> like
> to know if anyone knows.
>
> Thank you very much and best regards.
>
> ---------------------
> ---------------------
> Jose A. Arnau Alvarez
> CCIE R&S #23051
> ---------------------
> ---------------------
>
>
>
>
>
> _________________________________________________________________
> ?Quieres saber csmo va a estar el clima maqana? Ingresa ahora a MSN
> http://tiempo.latam.msn.com/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIE #19963Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART