Restrict access for non-domain users on a CISCO ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2009 01:13 AM - edited 03-11-2019 09:25 AM
Hello all,
Do you know if there is a way to deny trafic through a CISCO ASA for all non-domain users?
Or do we have to use a NAC system ? (and, if yes, what kind of NAC system?)
Many thanks
regards,
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2009 04:33 AM
NAC is a way to go http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html.
You can also use ACS to authenticate users before going through the ASA. You can also integrate ACS with your Active Directory.
Not very trivial tasks but the technology is there to support them.
PK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2009 11:59 PM
Hello,
ACS seems to be a good way. However, I can't find any information about authenticating trafic users on ASA with ACS. I only saw documentation on how secure access on the firewall with ACS, but nothing about authenticating users when they are trying to pass through the FW.
Can someone help me by providing me some URL about it?
Many thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2009 10:10 AM
If you are trying to do this for VPN connections into your ASA:
-you can deny the non-domain users from logging in with ldap attribute maps or dap
-you can also restrict access with a vpn-filter acl or webvpn type acl applied in the group policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2009 12:43 AM
Hello hdashnau,
It's not for VPN connections but for all trafic from one local zone to another.
I'm still looking for a way to do that, with ACS or NAC, but i can't find any documentation on it.
Did someone already face this issue?
Many thanks,
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2009 06:08 AM
Hi K,
have a look at "cut-through proxy" aka "AAA for network access" :
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html
hth
H
