[c-nsp] ACS and ASA VPN user authentication

Brett Looney brett at looney.id.au
Wed Aug 29 02:05:09 EDT 2007


Greets,

Background: When connecting to an ASA using the Cisco VPN client you've got
to build a connection entry (stored as a PCF file) that includes the VPN
group name and VPN group shared key. PCF files can be migrated from one
machine to another.

We have an issue where a tech-savvy user has taken a copy of a PCF file and
put it on a new laptop. Consequently, he can connect to an existing VPN
group (that lots of other users connect to) and get access to things he
shouldn't be able to.

However, we want to let this user still connect to the ASA but using a
different VPN group. But we have no way of forcing him to do this. We can't
disable his account for this reason. And we can't change the group key
because that would affect lots of users, some in remote locations that we
can't get to.

The root cause here is that in ACS I can't find any way of limiting a user
(or group for that matter) to a particular VPN Group. The ASA doesn't appear
to pass that attribute to the ACS and I can't find any attribute in the list
of TACACS+ attribute-value pairs that would do this.

So, is there a way I can do this with ASA and ACS? I want to lock a
particular user (or group) to a VPN group and not let them connect any other
way.

More information:

We're using ACS for Windows 3.3 (but can upgrade if necessary) and
authenticating via TACACS+.
We're running ASA code version 7.2.2.

Any ideas? Does this even make sense? TIA.

B.



More information about the cisco-nsp mailing list