04-18-2011 04:55 AM - edited 03-11-2019 01:22 PM
Hi all,
I have a specific requirement. I am using ASA 5510 and I have integrated my AD for Remote vpn user authentication. Now I want to restrict these vpn users to access some specified resources in my inside LAN. Can anyone suggest that how can I do this?.
Thanks & Regards
R.MADHANKUMAR
Solved! Go to Solution.
04-20-2011 06:53 AM
hmmm..
well you need to tell the IAS or NPS to return the radius attribute 25 (It's called "Class") and assign it the value of ou=MyVPNGroupPolicy where MyVPNGroupPolicy is the name of your group policy in the ASA.
This option is under the standard radius attributes on one of the last configuration screens of the wizard.
The group-policy and the tunnel-group configuration needs to be present in the ASA. it will be the same as in my previous post here. only the LDAP configuration part is not required.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
04-18-2011 05:16 AM
You can use the vpn-filter command to permit or deny VPN users access to certain subnets and/or port numbers. See below a config example:
Please remember to rate all posts that are helpful.
04-18-2011 10:33 PM
Hi,
Thanks for your reply. In the given example the authentication is LOCAL database. But in my case I integrated a Active directory for authenticate remote vpn users. In this case where can I call the vpn-filter?.
Thank you
Madhankumar
04-19-2011 01:20 AM
hi,
you will be calling the authentication server in the tunnel-group. based on the credentials a group-policy will be selected as per the ldap attribute map.
In the group-policy will be a vpn-filter defined.
e.g.:
hostname(config)# aaa-server LDAP protocol ldap
hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 10.10.1.5
hostname(config-aaa-server-group)# ldap-base-dn cn=Users,dc=stops,dc=net
hostname(config-aaa-server-group)# ldap-scope subtree
hostname(config-aaa-server-group)# ldap-login-password *
hostname(config-aaa-server-group)# ldap-login-dn CN=Administrator,DC=stops,DC=net
hostname(config-aaa-server-group)# server-type Microsoft
hostname(config-aaa-server-group)# ldap-attribute-map LDAP-VPN
ldap attribute-map LDAP-VPN
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Users,CN=Users,DC=abc,DC=com" policy1
group-policy vpn-filter internal
group-policy vpn-filter attributes
vpn-filter value 103access-list 103 extended permit udp 10.16.20.0 255.0.0.0 host 172.16.1.1 eq 53
tunnel-group LDAPVPN type remote-access
tunnel-group LDAPVPN general-attributes
address-pool policy1
authentication-server-group LDAP
default-group-policy vpn-filter
tunnel-group LDAPVPN ipsec-attributes
pre-shared-key *
Hope this helps.
Regards,
Anisha
P.S.:please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
04-19-2011 02:28 AM
Hello Anisha,
Thanks for your reply. I am using Active directory instead of ldap as a radius serer. Can the above config will also suite for AD authention?. If no, let me know the config.
Thank you
MADHANKUMAR
04-20-2011 06:53 AM
hmmm..
well you need to tell the IAS or NPS to return the radius attribute 25 (It's called "Class") and assign it the value of ou=MyVPNGroupPolicy where MyVPNGroupPolicy is the name of your group policy in the ASA.
This option is under the standard radius attributes on one of the last configuration screens of the wizard.
The group-policy and the tunnel-group configuration needs to be present in the ASA. it will be the same as in my previous post here. only the LDAP configuration part is not required.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide