Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
4
Replies

Anyconnect IKEV2 restricting access via AAA auth Group

Go to solution
mahesh18
Level 6
Level 6

‎10-07-2014 05:53 PM - edited ‎02-21-2020 07:52 PM

 

Hi Everyone,

I have ASA config with 2 connection groups

Say Group  1 and 2.

Currently both are assigned to Same Auth AAA group

One of our external vendor has access to both XM files of connection group 1 and 2..

If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?

Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?

 

Regards

Mahesh

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to mahesh18

‎10-10-2014 07:43 AM

Mahesh

 

If you have a single authentication server (or a pair of servers in HA operation) then it would seem that the vendor would be authenticated no matter which group they are attempting to access.

 

I have a customer that looked into using the group lock feature to accomplish something similar to what you describe. They used RSA two factor authentication as you do. What they looked into was to send the authentication request to a Radius server. The Radius server would send the ID and code entered to RSA to do the two factor authentication and the Radius server would also querry Active Directory to learn about group membership of the user. The Radius server then would return the results from RSA and the group ED to the ASA which would use group lock feature to be sure that the user was accessing the right group. Perhaps something like that might work for you?

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-08-2014 05:26 AM

Mahesh

 

I am not clear on what you are describing. Clearly there are two groups and you want the vendor to access only one of the groups. It is not clear how many authentication servers you have and it is not clear whether some authentication server would authenticate the vendor while another authentication server would not authenticate the vendor. If that were the case it would make sense to configure two Auth groups (where each Auth group has its own unique authentication server) and configure each Connection Group to have its own Auth group.

 

You might also want to look at using the group lock feature. If your authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response then group lock can make sure that users are selecting the particular group that they belong to.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Richard Burts

‎10-08-2014 05:24 PM

 

Hi Rick,

There is info

Our ASA is configured with two connection groups.Our Vendor has XML files of both the

Connection groups say                                      1 and 2.

AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.

We are using 2 factor Authentication.

We want vendor to connect to connection group 2 only.

We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.

If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will

it restrict the vendors connection to connection group 2 only?

Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?

Need to know how i can do this?

 

Regards

MAhesh

 

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to mahesh18

‎10-10-2014 07:43 AM

Mahesh

 

If you have a single authentication server (or a pair of servers in HA operation) then it would seem that the vendor would be authenticated no matter which group they are attempting to access.

 

I have a customer that looked into using the group lock feature to accomplish something similar to what you describe. They used RSA two factor authentication as you do. What they looked into was to send the authentication request to a Radius server. The Radius server would send the ID and code entered to RSA to do the two factor authentication and the Radius server would also querry Active Directory to learn about group membership of the user. The Radius server then would return the results from RSA and the group ED to the ASA which would use group lock feature to be sure that the user was accessing the right group. Perhaps something like that might work for you?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Richard Burts

‎10-12-2014 08:26 AM

 

Hi Rick,

 

I will look into this and try to do this via sending query to Active Directory also.

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents