Re: Restrict access for non-domain users on a CISCO ASA

khayhuynh · ‎10-14-2009

Hello all,

Do you know if there is a way to deny trafic through a CISCO ASA for all non-domain users?

Or do we have to use a NAC system ? (and, if yes, what kind of NAC system?)

Many thanks

regards,

Panos Kampanakis · ‎10-14-2009

NAC is a way to go http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html.

You can also use ACS to authenticate users before going through the ASA. You can also integrate ACS with your Active Directory.

Not very trivial tasks but the technology is there to support them.

PK

khayhuynh · ‎10-18-2009

Hello,

ACS seems to be a good way. However, I can't find any information about authenticating trafic users on ASA with ACS. I only saw documentation on how secure access on the firewall with ACS, but nothing about authenticating users when they are trying to pass through the FW.

Can someone help me by providing me some URL about it?

Many thanks

hdashnau · ‎10-14-2009

If you are trying to do this for VPN connections into your ASA:

-you can deny the non-domain users from logging in with ldap attribute maps or dap

-you can also restrict access with a vpn-filter acl or webvpn type acl applied in the group policy

khayhuynh · ‎10-21-2009

Hello hdashnau,

It's not for VPN connections but for all trafic from one local zone to another.

I'm still looking for a way to do that, with ACS or NAC, but i can't find any documentation on it.

Did someone already face this issue?

Many thanks,

Regards

Herbert Baerten · ‎10-21-2009

Hi K,

have a look at "cut-through proxy" aka "AAA for network access" :

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html

hth

H