Re: ACL on my remote VPN clients

Hi Ryan,

Cisco supports RADIUS CoA on several platforms today actually (Switches and
WLC) for wired and wireless. And its coming pretty soon on many more
platforms, the last time I checked.

Brace yourself for good things, soon, my friend! ;-)

On Wed, May 9, 2012 at 2:01 AM, Ryan West <rwest_at_zyedge.com> wrote:

> I'll be bypassing ACS and ISE until CoA is supported. Not a big fan of
> using extra equipment for the sake of having it. But yeah, don't tell them
> :)
>
> You're not in a good mood this week by any chance, are you? Such a
> relief, right?
>
> -----Original Message-----
> From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]
> Sent: Tuesday, May 08, 2012 8:57 PM
> To: Ryan West
> Cc: Sadiq Yakasai; amin; ccielab_at_groupstudy.com
> Subject: Re: ACL on my remote VPN clients
>
> Don't let Cisco hear you bypassed ACS with LDAP and AD groupings!
>
> Great solution.
>
> Regards,
> Jay McMickle- CCIE #35355
> Sent from iJay
>
> On May 8, 2012, at 6:17 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> > Ldap authorization with attribute map matching can take AD group
> membership and translate it into group-policy membership. Then apply your
> VPN-filters to those groups. It's clean and pretty easy to get going.
> Won't require additional software on your servers (ias/nps/ad plugin).
> >
> > Sent from handheld
> >
> > On May 8, 2012, at 6:56 PM, "Jay McMickle" <jay.mcmickle_at_yahoo.com>
> wrote:
> >
> >> I believe the Identity aware came out in 8.4.2 and not everyone is
> running it yet.
> >>
> >> That would be helpful if he had a group of VPN users and you wanted to
> filter by ID while still using the same crypto map and group policy.
> >>
> >> It is a cool feature, though. Although Palo Alto and Checkpoint does
> this as well, Cisco is about to change the game with ACS, ISE, and even ISE
> aware switches so that this entitlement starts at the port and not all the
> way into the network at the Firewall. It's like NAC, but it works well and
> easy.
> >>
> >> Regards,
> >> Jay McMickle- CCIE #35355
> >> Sent from iJay
> >>
> >> On May 8, 2012, at 10:07 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
> wrote:
> >>
> >>> Amin,
> >>>
> >>> If you can spend some time on this new ASA feature called Identity
> >>> Firewall Access Control (IDFW), it should do what you are asking
> >>> for. Its a really cool and neat feature for access control on the
> >>> ASA not just based on IP addresses but also on usernames and/or AD
> >>> groups, etc. I have tested it and works a treat! Give it a go.
> >>>
> >>> http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/gui
> >>> de/access_idfw.html
> >>>
> >>> HTH,
> >>> Sadiq
> >>>
> >>> On Tue, May 8, 2012 at 3:43 PM, amin <amin_at_axizo.com> wrote:
> >>>
> >>>> Hi experts,
> >>>>
> >>>>
> >>>>
> >>>> How I can apply an access-list (access rule) to my VPN clients
> >>>> according to their pool address, I make it and try to apply it to
> >>>> the outside in, and to the inside out, but in both cases it didn't
> >>>> take effect to restrict them to certain applications and deny other
> applications to them.
> >>>>
> >>>> Is there any good way to apply such a technique that restrict the
> >>>> VPN clients just to SQL and restrict other type of access?
> >>>>
> >>>>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Amin
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>> ___________________________________________________________________
> >>>> ____ Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> CCIEx2 (R&S|Sec) #19963
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> ____________________________________________________________________
> >>> ___ Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _____________________________________________________________________
> >> __ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net