[c-nsp] per-user access-lists with IOS SSL VPN
James Baker
james at jgbaker.co.nz
Wed Sep 5 22:24:44 EDT 2012
Have a look at Cisco AV-Pairs
I've used/use them before on Cisco IOS and ASA devices with RADIUS
I think they also work with TACACS
Look for "inacl= "
For eg
ip:inacl#1=permit tcp any 10.0.0.10 255.255.255.0 eq 22
google found this which may be of use
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_tacacs/configuration/15-1mt/sec-usr-tacacs-15-1mt-book.pdf
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Randy
Sent: Thursday, 6 September 2012 12:38 p.m.
To: cisco-nsp at puck.nether.net; Jason Lixfeld
Subject: Re: [c-nsp] per-user access-lists with IOS SSL VPN
--- On Wed, 9/5/12, Jason Lixfeld <jason at lixfeld.ca> wrote:
> From: Jason Lixfeld <jason at lixfeld.ca>
> Subject: [c-nsp] per-user access-lists with IOS SSL VPN
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Wednesday, September 5, 2012, 4:05 PM I've got a third party
> that need access to my network over my VPN. Instead of giving them
> carte blanche, I'd like to wrap an ACL around their session so they
> only have access to what's permitted by the ACL. I can configure
> these users in tac_plus as users, or as members of a group, or locally
> on the VPN box, if needed.
>
> My google-fu hasn't turned up anything remotely appropriate to what it
> is I'm looking for - hoping someone out here might know.
>
> My kit consists of a 2901 running 15.2(1)GC1.
>
> Thanks in advance.
...and I forgot to add: "it was via the split-tunneling ACL ./Randy
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list