Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1313
Views
0
Helpful
2
Replies

VPN Anyconnect user authorization

Go to solution
raza555
Level 3
Level 3

‎02-06-2014 06:24 PM - edited ‎03-11-2019 08:41 PM

Hi,

We have ASA configured for VPN Anyconnect & large subnets are allowed for VPN users via split tunnelling. All VPN user are authenticating via AAA. Then we have created VPN users in ACS & restrict the users access to particular subnets via Downloadable ACL.

Problems:

~~~~~~~~

dACL on ACS works but not good enough as suppose we have restrict VPN user to particular subnet via dACL, once he will reach that subnet devices, then from that device(Switch/Router) he is able to access any device which is not allowed in dACL.

HOW WE CAN RESTRICT VPN USER THAT IF HE IS ALLOWED TO ACCESS ONLY SUBNET1 in dACL, HE SHOULD NOT BE ALLOWED/ ABLE TO GOTO SUBNET 2 SWITCH/ROUTER ETC. FROM ALLOWED SUBNET 1. PEOPLE KNOW THIS TRICK OF JUMPING FROM ALLOWED SUBNET DEVICES TO NOT ALLOWED SUBNET DEVICES AND THEY MISS USE IT.

  

OR if you have any other better way, then please advise.

All devices are configured with TACACS. We are using ASA 8.4 and ACS 4.2.

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-06-2014 09:07 PM

Hello Riz,

At the moment where the device jumps to another box and starts using that box the security failure is actually not on the client o dACL but on the router that is used for SSH,Telnet client.

If you want to disable a cisco router or telnet client for being used as a terminal client do:

line vty 0 4

transport output none

You could also perform authorization ;for that user and deny those SSH,Telnet sessions but this will might impact legitimate traffic.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-07-2014 12:57 AM

Another option you could implement are access lists on the VTY line, that permit access only from certain IP addresses that are used by administrators.  This IP range should be different from what is configured on the routers and switches so they will not be able to hop via a router to another subnet.

access-list 1 permit 172.16.1.0 0.0.0.255

line vty 0 15

access-class 1 in

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-06-2014 09:07 PM

Hello Riz,

At the moment where the device jumps to another box and starts using that box the security failure is actually not on the client o dACL but on the router that is used for SSH,Telnet client.

If you want to disable a cisco router or telnet client for being used as a terminal client do:

line vty 0 4

transport output none

You could also perform authorization ;for that user and deny those SSH,Telnet sessions but this will might impact legitimate traffic.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-07-2014 12:57 AM

Another option you could implement are access lists on the VTY line, that permit access only from certain IP addresses that are used by administrators.  This IP range should be different from what is configured on the routers and switches so they will not be able to hop via a router to another subnet.

access-list 1 permit 172.16.1.0 0.0.0.255

line vty 0 15

access-class 1 in

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card