Windows groups, VPN groups, and SecureACS

Discussion in 'Cisco' started by John Sasso, Oct 2, 2004.

  1. John Sasso

    John Sasso Guest

    I've run into a problem which I'm trying to find a solution to at work.

    We have a Cisco VPN 3030 concentrator that administrators will VPN into
    using Cisco's VPN client in order to do management remotely (there will
    be quite a few admins, so for manageability purposes I do not want to
    create them local accounts on the concentrator). The 3030 will
    authenticate against a SecureACS server which is in a Windows Active
    Directory domain.

    [ For the sake of discussion, assume the Cisco products are all running
    the latest software ]

    The admins will belong to certain Windows groups (in Active Directory)
    to designate the machine-spec. areas they are responsible for: Windows
    servers, UNIX servers, mainframes, database servers, network devices.
    The goal is to restrict access by those users, based on the group they
    are in, to the machines they are to administer.


    1. is there a way to tie a VPN group [in the 3030] to a Windows group in
    AD through Secure ACS?

    2. can you tie access control lists to a Windows group in Secure ACS?

    Someone on my team suggested tieing the Windows group (and, in turn, the
    VPN group) to an IP address pool for that group on the VPN concentrator,
    and then using the firewalls that the admins have to go through filter
    access to the servers/devices based on IP address range. The issue I
    have with that is it is still not user or group based.

    Another question: can you set up IP address pools for a VPN
    concentrator on an ACS server rather than on the VPN concentrator alone?


    PS: Please send all responses to this group, not to me directly.
    John Sasso, Oct 2, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.