[c-nsp] ACS and ASA VPN user authentication

Nicholas Weaver nweaver at thinkcash.com
Tue Sep 4 11:20:30 EDT 2007


I have done this with Microsoft IAS and it works like a dream.  I use it
to restrict VPN access to users that are members of specific Domain
groups.  I can also stack the rules to allow for a group per group and
ACL's for Departments...etc.

I am using the new AnyConnect with an ASA 5520 running 8.0(2).

.nick

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Kougoulos
Sent: Wednesday, August 29, 2007 5:14 AM
To: Brett Looney
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ACS and ASA VPN user authentication

Hello,

I've done this in vpn concentrators with radius:

Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example0
9186a00800946a2.shtml

It applies to VPN concentrators using Radius, but I guess that it will 
probably work for ASA also. I think it will also be easy to migrate to 
RADIUS.

Best Regards,
John


Brett Looney wrote:
> Greets,
> 
> So, is there a way I can do this with ASA and ACS? I want to lock a
> particular user (or group) to a VPN group and not let them connect any
other
> way.
> 
> More information:
> 
> We're using ACS for Windows 3.3 (but can upgrade if necessary) and
> authenticating via TACACS+.
> We're running ASA code version 7.2.2.
> 
> Any ideas? Does this even make sense? TIA.
> 
> B.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list