Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
2
Replies

How to lock user to multiple tunnel groups in ASA

sulander
Level 1
Level 1

‎09-05-2006 07:44 AM - edited ‎02-21-2020 01:09 AM

Hello,

I have a following question regarding the tunnel groups on ASA.

We have multiple user groups with different access level needs and a user can be part of a multiple groups.

Currently ASA (or VPN 3000) allows to lock a user to only one group. I see this as a serious limitation as there for example might be three groups:

- Billing (secure access only to certain systems)

- Human Resources

- General remote access (allowing access only to general services / internet)

And the user is only allowed to access two of the groups: Billing & General remote access. Now locking the user to one group doesn't accomplish this need.

So why doesn't ASA allow to define multiple groups on "tunnel group lock"?

Have anyone figured a scalable workaround for this problem?

As far as I can tell we might use different realms (for each tunnel group) on our authentication/authorization servers, but this would be a hack..

Regards,

Miska

0 Helpful
2 Replies 2

vmoopeung
Level 5
Level 5

‎09-11-2006 06:39 AM

You want to have VPN connections on an ASA with multiple security contexts. Am I right?

According to this, here is my action plan: Actually in multiple context mode the vpn tunnel functionality does not work.

Please look into this documentation:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/contexts.htm#wp1116132

I hope this helps.

0 Helpful

sulander
Level 1
Level 1
In response to vmoopeung

‎09-26-2006 07:50 AM

No, actually in single context, but I found a solution for the ASA limitation.

The solution was to use freeradius and realms to differentiate the different groups in ASA (VPN Groups).

The user log in to the wanted VPN group, using "username!group" which is defined as a realm in radius. Radius will verify if the username/pwd is correct and if the user has the right priviledge for the VPN group (realm).

When the user is allowed to use the VPN group, radius returns group-lock attribute back to ASA with the same group value as the user tried login to.

So the whole process enables us to allow the user to use his/her own username & password to authenticate to _selected_ VPN groups (no need to use certificates) without any limitation to either lock the user to _one_ group or allow access to _all_ groups.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card