From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Tue Mar 17 2009 - 11:54:29 ART
Well said Tyson! There you are Jose, an external DB would be your solution.
On Tue, Mar 17, 2009 at 2:49 PM, Tyson Scott <tscott@ipexpert.com> wrote:
> Jose,
>
> One way or another you need to assign a user to a group. It would not be a
> good security function to say that any user that says they are a part of
> groupX should be allowed to do so.
>
> You could pass the user string on to an external database, such as Active
> Directory, or LDAP, and have them assign to ACS the user group they are a
> part of and in ACS map that group assigned to the group you want in ACS.
>
> It would not be a recommended security practice to assign users to groups
> based on user requests. Thus the reason this would not be designed into
> ACS.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
> Cell: +1.248.504.7309
> Fax: +1.810.454.0130
> Mailto: tscott@ipexpert.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Sadiq Yakasai
> Sent: Tuesday, March 17, 2009 10:40 AM
> To: Jose A. Arnau Alvarez
> Cc: Grupo de Estudio CCIE
> Subject: Re: VPN Users Authentication in ACS
>
> Hi Jose,
>
> Currently on ACSv4.2, I am very confident there is no such support for what
> you are trying to do. There is a similar functionality however, called
> Network Access Filtering, which only performs policy manipulation based on
> Access Device (previously configured), Access Device Groups, or NAS IP
> Address. If you go to Shared Profile Components - Network Access Filtering,
> you would see what I am talking about there. But AFAIK, that version of ACS
> has no capabiliity to manupulate a username string and make policy
> decision.
>
> ACSv5.0 has been designed to provide much more control in this regards with
> very flexible NAF (aka Service Selection). You can perform network policy
> service selection based on much more (literally all RADIUS and TACACS
> attributes inbound to ACS, plus a few more criteria) and even the username
> string. However, even at this, you can only do Equals, Not Equals, Starts
> With, Ends With. Without any ability to perform string manupulation like
> you
> would like to do.
>
> HTH,
> Sadiq
>
> On Tue, Mar 17, 2009 at 12:01 PM, Jose A. Arnau Alvarez <
> jaral18@hotmail.com
> > wrote:
>
> > Hi everyone!
> >
> > I have some questions about the VPN users authentication in ACS. I have
> an
> > ASA
> > 5520 that performs functions of VPN concentrator, and
> > authenticates users in an ACS 4.2. Users who connect uses a username
> > like "userX@groupY" in the VPN client software prompt, and I would like
> > the
> > text string behind the @ is used
> > in ACS in order to dynamically assign that user to the group of text
> > string (Group Y). I don't know if this is possible with ACS, but I would
> > like
> > to know if anyone knows.
> >
> > Thank you very much and best regards.
> >
> > ---------------------
> > ---------------------
> > Jose A. Arnau Alvarez
> > CCIE R&S #23051
> > ---------------------
> > ---------------------
> >
> >
> >
> >
> >
> > _________________________________________________________________
> > ?Quieres saber csmo va a estar el clima maqana? Ingresa ahora a MSN
> > http://tiempo.latam.msn.com/
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
-- CCIE #19963Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART