Re: ACL on my remote VPN clients

I had bad experience in implementing CoA on WLC!
Don't touch it yet on WLC (specially 55xx). have not have a chance to play
with switches CoA!

On Wed, May 9, 2012 at 7:34 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Hi Ryan,
>
> Cisco supports RADIUS CoA on several platforms today actually (Switches and
> WLC) for wired and wireless. And its coming pretty soon on many more
> platforms, the last time I checked.
>
> Brace yourself for good things, soon, my friend! ;-)
>
> On Wed, May 9, 2012 at 2:01 AM, Ryan West <rwest_at_zyedge.com> wrote:
>
> > I'll be bypassing ACS and ISE until CoA is supported. Not a big fan of
> > using extra equipment for the sake of having it. But yeah, don't tell
> them
> > :)
> >
> > You're not in a good mood this week by any chance, are you? Such a
> > relief, right?
> >
> > -----Original Message-----
> > From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]
> > Sent: Tuesday, May 08, 2012 8:57 PM
> > To: Ryan West
> > Cc: Sadiq Yakasai; amin; ccielab_at_groupstudy.com
> > Subject: Re: ACL on my remote VPN clients
> >
> > Don't let Cisco hear you bypassed ACS with LDAP and AD groupings!
> >
> > Great solution.
> >
> > Regards,
> > Jay McMickle- CCIE #35355
> > Sent from iJay
> >
> > On May 8, 2012, at 6:17 PM, Ryan West <rwest_at_zyedge.com> wrote:
> >
> > > Ldap authorization with attribute map matching can take AD group
> > membership and translate it into group-policy membership. Then apply
> your
> > VPN-filters to those groups. It's clean and pretty easy to get going.
> > Won't require additional software on your servers (ias/nps/ad plugin).
> > >
> > > Sent from handheld
> > >
> > > On May 8, 2012, at 6:56 PM, "Jay McMickle" <jay.mcmickle_at_yahoo.com>
> > wrote:
> > >
> > >> I believe the Identity aware came out in 8.4.2 and not everyone is
> > running it yet.
> > >>
> > >> That would be helpful if he had a group of VPN users and you wanted to
> > filter by ID while still using the same crypto map and group policy.
> > >>
> > >> It is a cool feature, though. Although Palo Alto and Checkpoint does
> > this as well, Cisco is about to change the game with ACS, ISE, and even
> ISE
> > aware switches so that this entitlement starts at the port and not all
> the
> > way into the network at the Firewall. It's like NAC, but it works well
> and
> > easy.
> > >>
> > >> Regards,
> > >> Jay McMickle- CCIE #35355
> > >> Sent from iJay
> > >>
> > >> On May 8, 2012, at 10:07 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
> > wrote:
> > >>
> > >>> Amin,
> > >>>
> > >>> If you can spend some time on this new ASA feature called Identity
> > >>> Firewall Access Control (IDFW), it should do what you are asking
> > >>> for. Its a really cool and neat feature for access control on the
> > >>> ASA not just based on IP addresses but also on usernames and/or AD
> > >>> groups, etc. I have tested it and works a treat! Give it a go.
> > >>>
> > >>> http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/gui
> > >>> de/access_idfw.html
> > >>>
> > >>> HTH,
> > >>> Sadiq
> > >>>
> > >>> On Tue, May 8, 2012 at 3:43 PM, amin <amin_at_axizo.com> wrote:
> > >>>
> > >>>> Hi experts,
> > >>>>
> > >>>>
> > >>>>
> > >>>> How I can apply an access-list (access rule) to my VPN clients
> > >>>> according to their pool address, I make it and try to apply it to
> > >>>> the outside in, and to the inside out, but in both cases it didn't
> > >>>> take effect to restrict them to certain applications and deny other
> > applications to them.
> > >>>>
> > >>>> Is there any good way to apply such a technique that restrict the
> > >>>> VPN clients just to SQL and restrict other type of access?
> > >>>>
> > >>>>
> > >>>>
> > >>>> Regards,
> > >>>>
> > >>>> Amin
> > >>>>
> > >>>>
> > >>>> Blogs and organic groups at http://www.ccie.net
> > >>>>
> > >>>> ___________________________________________________________________
> > >>>> ____ Subscription information may be found at:
> > >>>> http://www.groupstudy.com/list/CCIELab.html
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>
> > >>>
> > >>> --
> > >>> CCIEx2 (R&S|Sec) #19963
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>> ____________________________________________________________________
> > >>> ___ Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >> _____________________________________________________________________
> > >> __ Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> >
>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed May 09 2012 - 20:15:13 ART