RE: VPN Users Authentication in ACS

From: JM HotMail (norouterrip@hotmail.com)
Date: Thu Mar 19 2009 - 20:15:04 ART

• Next message: Narbik Kocharians: "Re: Upcoming Boot camp of NK"
• Previous message: JAZ: "RPVST+ and RSTP"
• Maybe in reply to: Jose A. Arnau Alvarez: "VPN Users Authentication in ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Check this. I am using this to drop users in different group policy based on
different Windows group. This is with RADIUS though, using class 25
attribute.

https://supportwiki.cisco.com/ViewWiki/index.php/Configure_ACS_to_Assign_a_G
roup_Policy_at_Login_using_RADIUS

Jean-Marc

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Jose
A. Arnau Alvarez
Sent: Tuesday, March 17, 2009 9:34 AM
To: sadiqtanko@gmail.com; tscott@ipexpert.com
Cc: Grupo de Estudio CCIE
Subject: RE: VPN Users Authentication in ACS

I give you some more details on what was my idea. The idea is that the ASA
pass VPN client usernames to the ACS, and the ACS according to the group to
which that user belongs validate a database or another. For example, if this
is jose@admin validate in the administrators database (active directory for
example), and if is Mark@cisco validate in the providers database (LDAP), of
course also the user indicates that the username belongs to that group
(userX@groupY), the database must validate correctly.

Thank you very much again!!!

---------------------
---------------------
Jose A. Arnau Alvarez
CCIE R&S #23051
---------------------
---------------------

Date: Tue, 17 Mar 2009 15:35:14 +0000
Subject: Re: VPN Users Authentication in ACS
From: sadiqtanko@gmail.com
To: tscott@ipexpert.com
CC: jaral18@hotmail.com; ccielab@groupstudy.com

Actually, thinking about this more, its possible in ACSv5.0 with the
username attribute and "Ends With" option.

Sadiq

On Tue, Mar 17, 2009 at 2:54 PM, Sadiq Yakasai <sadiqtanko@gmail.com> wrote:

Well said Tyson! There you are Jose, an external DB would be your solution.

On Tue, Mar 17, 2009 at 2:49 PM, Tyson Scott <tscott@ipexpert.com> wrote:

Jose,

One way or another you need to assign a user to a group. It would not be a

good security function to say that any user that says they are a part of

groupX should be allowed to do so.

You could pass the user string on to an external database, such as Active

Directory, or LDAP, and have them assign to ACS the user group they are a

part of and in ACS map that group assigned to the group you want in ACS.

It would not be a recommended security practice to assign users to groups

based on user requests. Thus the reason this would not be designed into

ACS.

Regards,

Tyson Scott - CCIE #13513 R&S and Security

Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444

Cell: +1.248.504.7309

Fax: +1.810.454.0130

Mailto: tscott@ipexpert.com

-----Original Message-----

From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of

Sadiq Yakasai

Sent: Tuesday, March 17, 2009 10:40 AM

To: Jose A. Arnau Alvarez

Cc: Grupo de Estudio CCIE

Subject: Re: VPN Users Authentication in ACS

Hi Jose,

Currently on ACSv4.2, I am very confident there is no such support for what

you are trying to do. There is a similar functionality however, called

Network Access Filtering, which only performs policy manipulation based on

Access Device (previously configured), Access Device Groups, or NAS IP

Address. If you go to Shared Profile Components - Network Access Filtering,

you would see what I am talking about there. But AFAIK, that version of ACS

has no capabiliity to manupulate a username string and make policy decision.

ACSv5.0 has been designed to provide much more control in this regards with

very flexible NAF (aka Service Selection). You can perform network policy

service selection based on much more (literally all RADIUS and TACACS

attributes inbound to ACS, plus a few more criteria) and even the username

string. However, even at this, you can only do Equals, Not Equals, Starts

With, Ends With. Without any ability to perform string manupulation like you

would like to do.

HTH,

Sadiq

On Tue, Mar 17, 2009 at 12:01 PM, Jose A. Arnau Alvarez <jaral18@hotmail.com

> wrote:

> Hi everyone!

>

> I have some questions about the VPN users authentication in ACS. I
> have an

> ASA

> 5520 that performs functions of VPN concentrator, and

> authenticates users in an ACS 4.2. Users who connect uses a username

> like "userX@groupY" in the VPN client software prompt, and I would
> like

> the

> text string behind the @ is used

> in ACS in order to dynamically assign that user to the group of text

> string (Group Y). I don't know if this is possible with ACS, but I
> would

> like

> to know if anyone knows.

>

> Thank you very much and best regards.

>

> ---------------------

> ---------------------

> Jose A. Arnau Alvarez

> CCIE R&S #23051

> ---------------------

> ---------------------

>

>

>

>

>

> _________________________________________________________________

> ?Quieres saber csmo va a estar el clima maqana? Ingresa ahora a MSN

> http://tiempo.latam.msn.com/

>

>

> Blogs and organic groups at http://www.ccie.net

>

> ______________________________________________________________________
> _

> Subscription information may be found at:

> http://www.groupstudy.com/list/CCIELab.html

>

>

>

>

>

>

>

>

--
CCIE #19963
Blogs and organic groups at http://www.ccie.net

• Next message: Narbik Kocharians: "Re: Upcoming Boot camp of NK"
• Previous message: JAZ: "RPVST+ and RSTP"
• Maybe in reply to: Jose A. Arnau Alvarez: "VPN Users Authentication in ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:06 ART