cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3617
Views
0
Helpful
5
Replies

Configuring Cisco ACS 5.3 for AnyConnect VPN and Management of a Cisco ASA 5500.

dpatkins
Level 1
Level 1

We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups.  It works, but it works too well. 

We have a group called XXX that we need to have access to the Cisco AnyConnect Client.  We have selected this group from our Active Directory and added it to our ACS configuration.  We also have added a group called YYY that will manage the ASA. However, this group has no need to access the VPN. 

We have added XXX to the Policy elements Network Access-> Authorization Profiles.  We also have a profile for YYY.

It continues to hit on our default Service Rule that says permit all.

We have also created a Default network access rule. for this. 

I am at a loss.  I am pretty sure I have missed a check box or something.

Any help would definitely be appreciated.

Dwane

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Are we using TACACS protocl for managing ASA and Radius for VPN access?

For administration, you should edit default device admin access-policy and create an authorization-policy. Same way, you can edit default-network access for vpn access and create a respective policy for that too.

On the ASA, you need to configure tacacs and radius both as a server group.

For administration you can define tacacs as an external authentication server under aaa commands

aaa-server TACACS protocol tacacs+

aaa authentication http console TACACS

aaa authentication telnet console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

For VPN you need to define radius authentication under the tunnel-group.

Hope this helps.

Regards,

Jatin

Do rate helpful posts-

~Jatin

View solution in original post

5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

Are we using TACACS protocl for managing ASA and Radius for VPN access?

For administration, you should edit default device admin access-policy and create an authorization-policy. Same way, you can edit default-network access for vpn access and create a respective policy for that too.

On the ASA, you need to configure tacacs and radius both as a server group.

For administration you can define tacacs as an external authentication server under aaa commands

aaa-server TACACS protocol tacacs+

aaa authentication http console TACACS

aaa authentication telnet console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

For VPN you need to define radius authentication under the tunnel-group.

Hope this helps.

Regards,

Jatin

Do rate helpful posts-

~Jatin

Jkatyal,

Thank you for the response.  I do not think the management portion is as important as teh VPN in this case.

We need to have only personnel located in the AD group XYZ be able to access the VPN on ASA5505.

I have worked some with Cisco TAC and since we had migrated to the ACS5.3, the Access Policy was configure with NDG Location, in all locations.  We configured it with a new location and added that to the policy but it still did nto fix it.

So in a nutshell, how do we configure a situation where a Cisco VPN group going to a specific device can only have access if it belongs to a specific AD group.

Thanks

Just to share---

Here is the way we handled this particular instances since there is only one group who will use this ASA.  On the 5505, we made modified the default simultaneous logins to 0.  And then on our VPN group profile, we unchecked the inherit box and modified so we could have 4 users. 

On the ACS, we modified the Policy Elements, Authorization and Permissions->Network Access->Authorization Profiles, we added two IETF attributes.  One was Radius-IETF->Radius Attribute Class->Type=String->Value OU=name of VPN profile.

Second attribute was Service Type, Type was enumeration, Value=Login.

This seems to have cleared up just anyone login into this and allowed only the needed member to do this.

Thanks to all for your help.

Dwane

All,

My apologies, I am using Radius for both.

Thank you,

Dwane

I have the Radius actually working with our AD group. I just need to know how to separate it. The users can log in to using the AnyConnect Client. However, so can the users of the administrative group. I am trying to ensure I have the proper restrictions set up. I do not want the VPN users to be able to manage the device nor should the management users be able to access the VPN tunnel.

Does this make sense?

Thank you,

Dwane