RE: VPN Users Authentication in ACS

From: Jose A. Arnau Alvarez (jaral18@hotmail.com)
Date: Tue Mar 17 2009 - 13:33:44 ART

• Next message: Victor: "Re: Netflow V5 issue (Pls help) [7:134743]"
• Previous message: andy@cloud9.net: "Re: Port channel goes in suspension state 6500"
• Maybe in reply to: Jose A. Arnau Alvarez: "VPN Users Authentication in ACS"
• Next in thread: JM HotMail: "RE: VPN Users Authentication in ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I give you some more details on what was my idea. The idea is that the
ASA pass VPN client usernames to the ACS, and the ACS
according to the group to which that user belongs validate a
database or another. For example, if this is jose@admin
validate in the administrators database (active directory for example), and if
is Mark@cisco validate in the providers database (LDAP), of course also the
user indicates that the username belongs to that group (userX@groupY), the
database must validate correctly.

Thank you very much again!!!

---------------------
---------------------
Jose A. Arnau Alvarez
CCIE R&S #23051
---------------------
---------------------

Date: Tue, 17 Mar 2009 15:35:14 +0000
Subject: Re: VPN Users Authentication in ACS
From: sadiqtanko@gmail.com
To: tscott@ipexpert.com
CC: jaral18@hotmail.com; ccielab@groupstudy.com

Actually, thinking about this more, its possible in ACSv5.0 with the username
attribute and "Ends With" option.

Sadiq

On Tue, Mar 17, 2009 at 2:54 PM, Sadiq Yakasai <sadiqtanko@gmail.com> wrote:

Well said Tyson! There you are Jose, an external DB would be your solution.

On Tue, Mar 17, 2009 at 2:49 PM, Tyson Scott <tscott@ipexpert.com> wrote:

Jose,

One way or another you need to assign a user to a group. It would not be a

good security function to say that any user that says they are a part of

groupX should be allowed to do so.

You could pass the user string on to an external database, such as Active

Directory, or LDAP, and have them assign to ACS the user group they are a

part of and in ACS map that group assigned to the group you want in ACS.

It would not be a recommended security practice to assign users to groups

based on user requests. Thus the reason this would not be designed into

ACS.

Regards,

Tyson Scott - CCIE #13513 R&S and Security

Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444

Cell: +1.248.504.7309

Fax: +1.810.454.0130

Mailto: tscott@ipexpert.com

-----Original Message-----

From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of

Sadiq Yakasai

Sent: Tuesday, March 17, 2009 10:40 AM

To: Jose A. Arnau Alvarez

Cc: Grupo de Estudio CCIE

Subject: Re: VPN Users Authentication in ACS

Hi Jose,

Currently on ACSv4.2, I am very confident there is no such support for what

you are trying to do. There is a similar functionality however, called

Network Access Filtering, which only performs policy manipulation based on

Access Device (previously configured), Access Device Groups, or NAS IP

Address. If you go to Shared Profile Components - Network Access Filtering,

you would see what I am talking about there. But AFAIK, that version of ACS

has no capabiliity to manupulate a username string and make policy decision.

ACSv5.0 has been designed to provide much more control in this regards with

very flexible NAF (aka Service Selection). You can perform network policy

service selection based on much more (literally all RADIUS and TACACS

attributes inbound to ACS, plus a few more criteria) and even the username

string. However, even at this, you can only do Equals, Not Equals, Starts

With, Ends With. Without any ability to perform string manupulation like you

would like to do.

HTH,

Sadiq

On Tue, Mar 17, 2009 at 12:01 PM, Jose A. Arnau Alvarez <jaral18@hotmail.com

> wrote:

> Hi everyone!

>

> I have some questions about the VPN users authentication in ACS. I have an

> ASA

> 5520 that performs functions of VPN concentrator, and

> authenticates users in an ACS 4.2. Users who connect uses a username

> like "userX@groupY" in the VPN client software prompt, and I would like

> the

> text string behind the @ is used

> in ACS in order to dynamically assign that user to the group of text

> string (Group Y). I don't know if this is possible with ACS, but I would

> like

> to know if anyone knows.

>

> Thank you very much and best regards.

>

> ---------------------

> ---------------------

> Jose A. Arnau Alvarez

> CCIE R&S #23051

> ---------------------

> ---------------------

>

>

>

>

>

> _________________________________________________________________

> ?Quieres saber csmo va a estar el clima maqana? Ingresa ahora a MSN

> http://tiempo.latam.msn.com/

>

>

> Blogs and organic groups at http://www.ccie.net

>

> _______________________________________________________________________

> Subscription information may be found at:

> http://www.groupstudy.com/list/CCIELab.html

>

>

>

>

>

>

>

>

--
CCIE #19963
Blogs and organic groups at http://www.ccie.net

• Next message: Victor: "Re: Netflow V5 issue (Pls help) [7:134743]"
• Previous message: andy@cloud9.net: "Re: Port channel goes in suspension state 6500"
• Maybe in reply to: Jose A. Arnau Alvarez: "VPN Users Authentication in ACS"
• Next in thread: JM HotMail: "RE: VPN Users Authentication in ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART