Showing results for 
Search instead for 
Did you mean: 

Creating per-user filters for vendors/contractors/support.

Not applicable

Creating per-user filters for vendors/contractors/support.


I am trying to develop a solution on the SA that restricts network access based on the username.  So all the users (seperate for corporate users) would belong to a role, and then each user would have a specific filter applied (restricting access to a defined list of IP addresses).  I would rather not have to build roles/resources for each username.  There has got to be some way to pull the IP list from AD/LDAP, and apply that to a generic resource policy.  I have seen some indication of this using custom expressions, but nothing with any kind of detail.  If I could pull the list from RADIUS as a VSA, that would work too.  For reference, I currently do this via a Cisco VPN and downloadable ACLs in Cisco ACS.

Thanks in advance....


Regular Contributor

Re: Creating per-user filters for vendors/contractors/support.

The first part is straight forward. Use LDAP auth server and then Create a Role Mapping rule based on group membership.

For the second part you could use the split tunneling feature and the split tunnel config can be dynamically built using a user attribute value from a Radius server (LDAP may work as well)