05-11-2007 03:20 AM - edited 03-11-2019 03:12 AM
Hello
i have a set up with a Cisco ASA 5520 with remote access VPN (using Cisco VPN client) and 3 different VPN group policies, each with different levels of access. the Users are authenticated using RADIUS against a Windows server 2003 Active Directory. Is it in any way possible to associate specific users with specific VPN group policies, without using LOCAL authentication or Cisco ACS server ?
best regards
05-11-2007 04:34 AM
I had a similar problem, so my solution was to have three different VPN groups on the ASA, they all use the same authentication server but each group has different parameters.
05-11-2007 04:41 AM
yes, I have also set up 3 different VPN groups with different access-lists to specify the access. But the problem is, that the difference (and security) only lies in the profile (.pcf file) if for example user A only has limited access to the network through his VPN profile and user B has full access through his VPN profile, then user A can just copy user B's .pcf file and then use his own username/password (which is his Windows server 2003 AD username/password) and that way gain full access.
I want to bind a VPN group to an AD user account, so that a user can only login using the Cisco VPN client, using the VPN profile he is intended to use.
hope that you understand what i mean...
05-11-2007 05:34 AM
I can't think of a way to do this with IAS. You would need the ASA to pass the group name so you could create separate remote access policies, then tie them to separate windows groups.
05-11-2007 09:22 AM
You could also do it with the ACS server. Configure the radius to pass auth to AD.
You can configure ACS to dump the user into different groups. Gives you many options for controlling access like downloadable ACL's, access hours, and Network Access Profiles.
Little extra cost but much more flexible.
Thanks,
Chad
05-11-2007 09:24 AM
His question was whether or not he could do it without ACS.
05-11-2007 09:55 AM
My fault, was skimming and missed the last part.
Use certificates instead of PSK. The tunnel group setting needs to be part of the cert. So your .pcf will not contain a tunnel group. When the connection comes in it will read the value and stick the user in the desired tunnel-group.
Without certs the IAS will not give the desired result. You can control what parameters make up a valid authentication. The only extra thing it has is being able to assign a VLan which will only work on Ethernet or WiFi.
Thanks,
Chad
05-11-2007 12:31 PM
Chad,
How does that work with AD? Wouldn't you still have to associate a tunnel-group with an account in AD? Maybe I misunderstood but all I would have to do is use a laptop with a cert for a tunnel-group I did not belong to and login with my AD credentials? Maybe not, I don't know much about certs. thanks.
05-14-2007 05:01 AM
The Cert replaces the group name and password auth within the .pcf file. You have to configure the ASA to trust the issuing CA. So the cert allows the firewall to accept the incoming request the place it in the correct tunnel-group.
Once the connection request is accepted and placed in the correct tunnel group the user authentication will occur which can be pointed to AD via IAS.
You would need the private key in order to login and be assigned to the correct tunnel-group. Which only the user it was assigned to should have. In the event that it was stolen or compromised you just make the cert invalid and the firewall will just reject the connection request. Much more secure and easier to maintain then PSK in a large infrastructure.
PKI:
http://en.wikipedia.org/wiki/Public_key_cryptography
Hope this answers your question. Let me know.
Thanks,
Chad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide