06-12-2012 08:39 AM - edited 03-10-2019 07:11 PM
We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups. It works, but it works too well.
We have a group called XXX that we need to have access to the Cisco AnyConnect Client. We have selected this group from our Active Directory and added it to our ACS configuration. We also have added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.
We have added XXX to the Policy elements Network Access-> Authorization Profiles. We also have a profile for YYY.
It continues to hit on our default Service Rule that says permit all.
We have also created a Default network access rule. for this.
I am at a loss. I am pretty sure I have missed a check box or something.
Any help would definitely be appreciated.
Dwane
Solved! Go to Solution.
06-12-2012 08:53 AM
Are we using TACACS protocl for managing ASA and Radius for VPN access?
For administration, you should edit default device admin access-policy and create an authorization-policy. Same way, you can edit default-network access for vpn access and create a respective policy for that too.
On the ASA, you need to configure tacacs and radius both as a server group.
For administration you can define tacacs as an external authentication server under aaa commands
aaa-server TACACS protocol tacacs+
aaa authentication http console TACACS
aaa authentication telnet console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
For VPN you need to define radius authentication under the tunnel-group.
Hope this helps.
Regards,
Jatin
Do rate helpful posts-
06-12-2012 08:53 AM
Are we using TACACS protocl for managing ASA and Radius for VPN access?
For administration, you should edit default device admin access-policy and create an authorization-policy. Same way, you can edit default-network access for vpn access and create a respective policy for that too.
On the ASA, you need to configure tacacs and radius both as a server group.
For administration you can define tacacs as an external authentication server under aaa commands
aaa-server TACACS protocol tacacs+
aaa authentication http console TACACS
aaa authentication telnet console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
For VPN you need to define radius authentication under the tunnel-group.
Hope this helps.
Regards,
Jatin
Do rate helpful posts-
06-13-2012 07:11 AM
Jkatyal,
Thank you for the response. I do not think the management portion is as important as teh VPN in this case.
We need to have only personnel located in the AD group XYZ be able to access the VPN on ASA5505.
I have worked some with Cisco TAC and since we had migrated to the ACS5.3, the Access Policy was configure with NDG Location, in all locations. We configured it with a new location and added that to the policy but it still did nto fix it.
So in a nutshell, how do we configure a situation where a Cisco VPN group going to a specific device can only have access if it belongs to a specific AD group.
Thanks
06-14-2012 09:25 AM
Just to share---
Here is the way we handled this particular instances since there is only one group who will use this ASA. On the 5505, we made modified the default simultaneous logins to 0. And then on our VPN group profile, we unchecked the inherit box and modified so we could have 4 users.
On the ACS, we modified the Policy Elements, Authorization and Permissions->Network Access->Authorization Profiles, we added two IETF attributes. One was Radius-IETF->Radius Attribute Class->Type=String->Value OU=name of VPN profile.
Second attribute was Service Type, Type was enumeration, Value=Login.
This seems to have cleared up just anyone login into this and allowed only the needed member to do this.
Thanks to all for your help.
Dwane
06-18-2012 06:19 AM
All,
My apologies, I am using Radius for both.
Thank you,
Dwane
06-18-2012 06:19 AM
I have the Radius actually working with our AD group. I just need to know how to separate it. The users can log in to using the AnyConnect Client. However, so can the users of the administrative group. I am trying to ensure I have the proper restrictions set up. I do not want the VPN users to be able to manage the device nor should the management users be able to access the VPN tunnel.
Does this make sense?
Thank you,
Dwane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide