Re: ACL on my remote VPN clients

That's what I hear. I should have stated CoA support on the ASA. Having to
dedicate an ISE box role for the ASA is not good. You know, I haven't checked
out the 8.6 code too deeply for the 5500-x line.

Sent from handheld

On May 9, 2012, at 5:34 AM, "Sadiq Yakasai"
<sadiqtanko_at_gmail.com<mailto:sadiqtanko_at_gmail.com>> wrote:

Hi Ryan,

Cisco supports RADIUS CoA on several platforms today actually (Switches and
WLC) for wired and wireless. And its coming pretty soon on many more
platforms, the last time I checked.

Brace yourself for good things, soon, my friend! ;-)

On Wed, May 9, 2012 at 2:01 AM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
I'll be bypassing ACS and ISE until CoA is supported. Not a big fan of using
extra equipment for the sake of having it. But yeah, don't tell them :)

You're not in a good mood this week by any chance, are you? Such a relief,
right?

-----Original Message-----
From: Jay McMickle
[mailto:jay.mcmickle_at_yahoo.com<mailto:jay.mcmickle_at_yahoo.com>]
Sent: Tuesday, May 08, 2012 8:57 PM
To: Ryan West
Cc: Sadiq Yakasai; amin;
ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: Re: ACL on my remote VPN clients

Don't let Cisco hear you bypassed ACS with LDAP and AD groupings!

Great solution.

Regards,
Jay McMickle- CCIE #35355
Sent from iJay

On May 8, 2012, at 6:17 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:

> Ldap authorization with attribute map matching can take AD group membership
and translate it into group-policy membership. Then apply your VPN-filters to
those groups. It's clean and pretty easy to get going. Won't require
additional software on your servers (ias/nps/ad plugin).
>
> Sent from handheld
>
> On May 8, 2012, at 6:56 PM, "Jay McMickle"
<jay.mcmickle_at_yahoo.com<mailto:jay.mcmickle_at_yahoo.com>> wrote:
>
>> I believe the Identity aware came out in 8.4.2 and not everyone is running
it yet.
>>
>> That would be helpful if he had a group of VPN users and you wanted to
filter by ID while still using the same crypto map and group policy.
>>
>> It is a cool feature, though. Although Palo Alto and Checkpoint does this
as well, Cisco is about to change the game with ACS, ISE, and even ISE aware
switches so that this entitlement starts at the port and not all the way into
the network at the Firewall. It's like NAC, but it works well and easy.
>>
>> Regards,
>> Jay McMickle- CCIE #35355
>> Sent from iJay
>>
>> On May 8, 2012, at 10:07 AM, Sadiq Yakasai
<sadiqtanko_at_gmail.com<mailto:sadiqtanko_at_gmail.com>> wrote:
>>
>>> Amin,
>>>
>>> If you can spend some time on this new ASA feature called Identity
>>> Firewall Access Control (IDFW), it should do what you are asking
>>> for. Its a really cool and neat feature for access control on the
>>> ASA not just based on IP addresses but also on usernames and/or AD
>>> groups, etc. I have tested it and works a treat! Give it a go.
>>>
>>> http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/gui
>>> de/access_idfw.html
>>>
>>> HTH,
>>> Sadiq
>>>
>>> On Tue, May 8, 2012 at 3:43 PM, amin
<amin_at_axizo.com<mailto:amin_at_axizo.com>> wrote:
>>>
>>>> Hi experts,
>>>>
>>>>
>>>>
>>>> How I can apply an access-list (access rule) to my VPN clients
>>>> according to their pool address, I make it and try to apply it to
>>>> the outside in, and to the inside out, but in both cases it didn't
>>>> take effect to restrict them to certain applications and deny other
applications to them.
>>>>
>>>> Is there any good way to apply such a technique that restrict the
>>>> VPN clients just to SQL and restrict other type of access?
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Amin
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> ___________________________________________________________________
>>>> ____ Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> CCIEx2 (R&S|Sec) #19963
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> ____________________________________________________________________
>>> ___ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _____________________________________________________________________
>> __ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>

--
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net