Security for one specific user

thomas.green · ‎01-19-2013

Hello,

We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system. Any help would be greatly appreciated.

Thanks

Michal Garcarz · ‎01-19-2013

Hi Thomas,

Yes, there are many options.

Basically ASA accept radius attributes returned for user (during user authentication)

You can return attribute:

IPsec-Split-Tunnel-List with the name of ACL on ASA which will be applied for that user (decides which traffic goes thru the tunnel, which not)

You can also use Radius IETF 25 Class attribute and set it to specific group policy name.

In that group policy on ASA you might want to have for example:

simultaneuous logins = 0

More:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1664777

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html

---

Michal

Security for one specific user

Port-Security - Configuração Básica

Re: User Security Expert Insights Series: Cisco Duo & Umbrella Dee

SEG: SLR(Specific License Reservation)の利用方法

Secure Access Resource Repository

Cisco Secure Client 5.1.9.113 (MR9)