Deny VPN access for specified groups

farkascsgy · ‎01-09-2007

Hello,

I have ACS and I use this authentication center for multiple devices. My issue is to deny VPN access for some groups, and allow for other. Clients are connected to ASA, maybe the solution can be an cisco-av-pair attribute or something else.

Please do some suggestion.

Thanks in advance.

bye

FCS

Vivek Santuka · ‎01-09-2007

Hi,

You can define a Network Access Restriction (NAR) to deny access to ASA for the group which should not have access to VPN.

More on NARs at :-

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/g.htm#wp478900

Regards,

Vivek

dogany · ‎01-09-2007

If you need to deny access request coming some of your NAS, you can use NAR( Network Access Restrictions) at ACS. NAR alows you to define which user should connect to which NAS

If you want to deny access request for some of the vpn group at ASA, you can basicly select an different Authentication server for that group.

farkascsgy · ‎01-16-2007

Guys,

Sorry but I couldn't catch the solution still now.

On my ASA I have GROUP1 and GROUP2 VPN groups for remote VPN connections. In my ACS I define two groups GROUP1-USER and GROUP2-USER, what I want to reach that GROUP1-USER will be able to access GROUP1 profile etc. And I want to do this limitation on ACS (using External database: Windows group mapping).

If you can please send me some usefule link or better if you can a short configuration guide for this limitation anyway the authentication works well from ACS using External Database.

Thanks in advance

FCS

Vivek Santuka · ‎01-16-2007

You want to restrict GROUP1-USER's users to GROUP1 on ASA and GROUP2-USER's users to GROUP2 on ASA ?

If yes, then on GROUP1-USER on ACS select RADIUS IEFT attribute 25 - CLass and set it to ou=GROUP1;

Likewise On GROUP2-USER set class to ou=GROUP2;

HTH

farkascsgy · ‎01-16-2007

OK, it sounds good. Do I need some extra config on ASA? Like authorization or something if yes can you explain?

Thanks

FCS

Vivek Santuka · ‎01-16-2007

No we will not require any thing apart from the authentication command.

Make sure OU is in capital letters and that there is a semicolon after the group name in ACS class attribute.

farkascsgy · ‎01-17-2007

It doesn't work for me.

aaa-server ACS protocol radius

aaa-server ACS host x.x.x.x

key keykeykeykey

tunnel-group TG general-attributes

address-pool TG-Pool

authentication-server-group ACS

default-group-policy TG

And in the ACS the ASA is set as RADIUS (Cisco VPN 3000/ASA/PIX 7.x+), but I tried with RADIUS IETF too. The Class attributes is OU=VPNGROUP;

Anway the VPN works well. What can be the problem?

I use External Datbase Mapping in ACS.

Thanks in advance.

Bye

FCS

Vivek Santuka · ‎01-18-2007

Asa works differently - Not as concentrator etc.

With Asa the Class attribute will just provide the group policy name and not the group name.

The group policy on the Asa will then have the group to which the users needs to be bound.

Let's say you want to lock user rj123 into group RemoteGroup. Then on the

radius server define IETF attribute 25 Class "OU=RemotePolicy;" for this user. Here is the

config on the ASA:

group-policy RemotePolicy internal

group-policy RemotePolicy attributes

dns-server value 10.1.1.1 10.2.2.2

group-lock value RemoteGroup

Basically the OU set the group policy for this user and in the group policy

you lock the user into the tunnel-group that you want.