[c-nsp] ACS and ASA VPN user authentication
Nicholas Weaver
nweaver at thinkcash.com
Wed Sep 5 16:59:50 EDT 2007
Yeah,
I basically use the IAS rule to define which group they belong to in
Active Directory and then pass back the RADIUS value to choose the
corresponding group I created in ASA. I had 3 different groups and it
worked great. I just make sure that the higher level groups are higher
in the rule list. I am replacing all this with RSA keyfob auth now so
it is all changing. But during the migration between Token and Password
I just use the drop down group box to let the user choose which kind of
auth they are on.
I use the same systems with my Cisco Wireless (LWAPP). I use a GPO to
choose which WLANs the user connects to and IAS (PEAP) to correspond to
their group. If we disable a user account in AD we disable it for
Wireless. The plan is to do dot1x for port-auth and make everything tie
to one account. This also makes group based ACL's/WLANS work per
Dept.
.nick
nweaver at thinkcash.com
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett Looney
Sent: Tuesday, September 04, 2007 6:20 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ACS and ASA VPN user authentication
> I have done this with Microsoft IAS and it works like a dream. I
> use it to restrict VPN access to users that are members of specific
> Domain groups. I can also stack the rules to allow for a group per
> group and ACL's for Departments...etc.
Yeah, I've done that on many occasions with routers as well - does this
work
with different VPN groups that are defined on the ASA?
B.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list