Don't let Cisco hear you bypassed ACS with LDAP and AD groupings!
Great solution.
Regards,
Jay McMickle- CCIE #35355
Sent from iJay
On May 8, 2012, at 6:17 PM, Ryan West <rwest_at_zyedge.com> wrote:
> Ldap authorization with attribute map matching can take AD group membership and translate it into group-policy membership. Then apply your VPN-filters to those groups. It's clean and pretty easy to get going. Won't require additional software on your servers (ias/nps/ad plugin).
>
> Sent from handheld
>
> On May 8, 2012, at 6:56 PM, "Jay McMickle" <jay.mcmickle_at_yahoo.com> wrote:
>
>> I believe the Identity aware came out in 8.4.2 and not everyone is running it yet.
>>
>> That would be helpful if he had a group of VPN users and you wanted to filter by ID while still using the same crypto map and group policy.
>>
>> It is a cool feature, though. Although Palo Alto and Checkpoint does this as well, Cisco is about to change the game with ACS, ISE, and even ISE aware switches so that this entitlement starts at the port and not all the way into the network at the Firewall. It's like NAC, but it works well and easy.
>>
>> Regards,
>> Jay McMickle- CCIE #35355
>> Sent from iJay
>>
>> On May 8, 2012, at 10:07 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
>>
>>> Amin,
>>>
>>> If you can spend some time on this new ASA feature called Identity Firewall
>>> Access Control (IDFW), it should do what you are asking for. Its a really
>>> cool and neat feature for access control on the ASA not just based on IP
>>> addresses but also on usernames and/or AD groups, etc. I have tested it and
>>> works a treat! Give it a go.
>>>
>>> http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_idfw.html
>>>
>>> HTH,
>>> Sadiq
>>>
>>> On Tue, May 8, 2012 at 3:43 PM, amin <amin_at_axizo.com> wrote:
>>>
>>>> Hi experts,
>>>>
>>>>
>>>>
>>>> How I can apply an access-list (access rule) to my VPN clients according to
>>>> their pool address, I make it and try to apply it to the outside in, and to
>>>> the inside out, but in both cases it didn't take effect to restrict them to
>>>> certain applications and deny other applications to them.
>>>>
>>>> Is there any good way to apply such a technique that restrict the VPN
>>>> clients just to SQL and restrict other type of access?
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Amin
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> CCIEx2 (R&S|Sec) #19963
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue May 08 2012 - 19:56:33 ART
This archive was generated by hypermail 2.2.0 : Sun Jun 17 2012 - 09:04:19 ART