Solved: Re: VPN Authentication

Madhan Kumar · ‎04-18-2011

Hi all,

I have a specific requirement. I am using ASA 5510 and I have integrated my AD for Remote vpn user authentication. Now I want to restrict these vpn users to access some specified resources in my inside LAN. Can anyone suggest that how can I do this?.

Thanks & Regards

R.MADHANKUMAR

andamani · ‎04-20-2011

hmmm..

well you need to tell the IAS or NPS to return the radius attribute 25 (It's called "Class") and assign it the value of ou=MyVPNGroupPolicy where MyVPNGroupPolicy is the name of your group policy in the ASA.

This option is under the standard radius attributes on one of the last configuration screens of the wizard.

The group-policy and the tunnel-group configuration needs to be present in the ASA. it will be the same as in my previous post here. only the LDAP configuration part is not required.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

sean_evershed · ‎04-18-2011

You can use the vpn-filter command to permit or deny VPN users access to certain subnets and/or port numbers. See below a config example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Please remember to rate all posts that are helpful.

Madhan Kumar · ‎04-18-2011

Hi,

Thanks for your reply. In the given example the authentication is LOCAL database. But in my case I integrated a Active directory for authenticate remote vpn users. In this case where can I call the vpn-filter?.

Thank you

Madhankumar

andamani · ‎04-19-2011

hi,

you will be calling the authentication server in the tunnel-group. based on the credentials a group-policy will be selected as per the ldap attribute map.

In the group-policy will be a vpn-filter defined.

e.g.:

hostname(config)# aaa-server LDAP protocol ldap

hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 10.10.1.5

hostname(config-aaa-server-group)# ldap-base-dn cn=Users,dc=stops,dc=net

hostname(config-aaa-server-group)# ldap-scope subtree

hostname(config-aaa-server-group)# ldap-login-password *

hostname(config-aaa-server-group)# ldap-login-dn CN=Administrator,DC=stops,DC=net

hostname(config-aaa-server-group)# server-type Microsoft

hostname(config-aaa-server-group)# ldap-attribute-map LDAP-VPN

ldap attribute-map LDAP-VPN

map-name memberOf IETF-Radius-Class

map-value memberOf "CN=VPN Users,CN=Users,DC=abc,DC=com" policy1

group-policy vpn-filter internal
group-policy vpn-filter attributes
 vpn-filter value 103

access-list 103 extended permit udp 10.16.20.0 255.0.0.0 host 172.16.1.1 eq 53

tunnel-group LDAPVPN type remote-access
tunnel-group LDAPVPN general-attributes
 address-pool policy1
 authentication-server-group LDAP
 default-group-policy vpn-filter
tunnel-group LDAPVPN ipsec-attributes
 pre-shared-key *

Hope this helps.

Regards,

Anisha

P.S.:please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

Madhan Kumar · ‎04-19-2011

Hello Anisha,

Thanks for your reply. I am using Active directory instead of ldap as a radius serer. Can the above config will also suite for AD authention?. If no, let me know the config.

Thank you

MADHANKUMAR

andamani · ‎04-20-2011

hmmm..

well you need to tell the IAS or NPS to return the radius attribute 25 (It's called "Class") and assign it the value of ou=MyVPNGroupPolicy where MyVPNGroupPolicy is the name of your group policy in the ASA.

This option is under the standard radius attributes on one of the last configuration screens of the wizard.

The group-policy and the tunnel-group configuration needs to be present in the ASA. it will be the same as in my previous post here. only the LDAP configuration part is not required.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.