From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Tue Mar 17 2009 - 12:35:14 ART
Actually, thinking about this more, its possible in ACSv5.0 with the
username attribute and *"Ends With"* option.
Sadiq
On Tue, Mar 17, 2009 at 2:54 PM, Sadiq Yakasai <sadiqtanko@gmail.com> wrote:
> Well said Tyson! There you are Jose, an external DB would be your solution.
>
>
> On Tue, Mar 17, 2009 at 2:49 PM, Tyson Scott <tscott@ipexpert.com> wrote:
>
>> Jose,
>>
>> One way or another you need to assign a user to a group. It would not be
>> a
>> good security function to say that any user that says they are a part of
>> groupX should be allowed to do so.
>>
>> You could pass the user string on to an external database, such as Active
>> Directory, or LDAP, and have them assign to ACS the user group they are a
>> part of and in ACS map that group assigned to the group you want in ACS.
>>
>> It would not be a recommended security practice to assign users to groups
>> based on user requests. Thus the reason this would not be designed into
>> ACS.
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S and Security
>> Technical Instructor - IPexpert, Inc.
>>
>> Telephone: +1.810.326.1444
>> Cell: +1.248.504.7309
>> Fax: +1.810.454.0130
>> Mailto: tscott@ipexpert.com
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Sadiq Yakasai
>> Sent: Tuesday, March 17, 2009 10:40 AM
>> To: Jose A. Arnau Alvarez
>> Cc: Grupo de Estudio CCIE
>> Subject: Re: VPN Users Authentication in ACS
>>
>> Hi Jose,
>>
>> Currently on ACSv4.2, I am very confident there is no such support for
>> what
>> you are trying to do. There is a similar functionality however, called
>> Network Access Filtering, which only performs policy manipulation based on
>> Access Device (previously configured), Access Device Groups, or NAS IP
>> Address. If you go to Shared Profile Components - Network Access
>> Filtering,
>> you would see what I am talking about there. But AFAIK, that version of
>> ACS
>> has no capabiliity to manupulate a username string and make policy
>> decision.
>>
>> ACSv5.0 has been designed to provide much more control in this regards
>> with
>> very flexible NAF (aka Service Selection). You can perform network policy
>> service selection based on much more (literally all RADIUS and TACACS
>> attributes inbound to ACS, plus a few more criteria) and even the username
>> string. However, even at this, you can only do Equals, Not Equals, Starts
>> With, Ends With. Without any ability to perform string manupulation like
>> you
>> would like to do.
>>
>> HTH,
>> Sadiq
>>
>> On Tue, Mar 17, 2009 at 12:01 PM, Jose A. Arnau Alvarez <
>> jaral18@hotmail.com
>> > wrote:
>>
>> > Hi everyone!
>> >
>> > I have some questions about the VPN users authentication in ACS. I have
>> an
>> > ASA
>> > 5520 that performs functions of VPN concentrator, and
>> > authenticates users in an ACS 4.2. Users who connect uses a username
>> > like "userX@groupY" in the VPN client software prompt, and I would like
>> > the
>> > text string behind the @ is used
>> > in ACS in order to dynamically assign that user to the group of text
>> > string (Group Y). I don't know if this is possible with ACS, but I would
>> > like
>> > to know if anyone knows.
>> >
>> > Thank you very much and best regards.
>> >
>> > ---------------------
>> > ---------------------
>> > Jose A. Arnau Alvarez
>> > CCIE R&S #23051
>> > ---------------------
>> > ---------------------
>> >
>> >
>> >
>> >
>> >
>> > _________________________________________________________________
>> > ?Quieres saber csmo va a estar el clima maqana? Ingresa ahora a MSN
>> > http://tiempo.latam.msn.com/
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> CCIE #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIE #19963
>
-- CCIE #19963Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART