cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

91
Views
0
Helpful
4
Replies
Frequent Contributor

Anyconnect IKEV2 restricting access via AAA auth Group

 

Hi Everyone,

I have ASA config with 2 connection groups

Say Group  1 and 2.

Currently both are assigned to Same Auth AAA group

One of our external vendor has access to both XM files of connection group 1 and 2..

If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?

Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?

 

Regards

Mahesh

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Mahesh If you have a single

Mahesh

 

If you have a single authentication server (or a pair of servers in HA operation) then it would seem that the vendor would be authenticated no matter which group they are attempting to access.

 

I have a customer that looked into using the group lock feature to accomplish something similar to what you describe. They used RSA two factor authentication as you do. What they looked into was to send the authentication request to a Radius server. The Radius server would send the ID and code entered to RSA to do the two factor authentication and the Radius server would also querry Active Directory to learn about group membership of the user. The Radius server then would return the results from RSA and the group ED to the ASA which would use group lock feature to be sure that the user was accessing the right group. Perhaps something like that might work for you?

 

HTH

 

Rick

4 REPLIES 4
Hall of Fame Master

Mahesh I am not clear on what

Mahesh

 

I am not clear on what you are describing. Clearly there are two groups and you want the vendor to access only one of the groups. It is not clear how many authentication servers you have and it is not clear whether some authentication server would authenticate the vendor while another authentication server would not authenticate the vendor. If that were the case it would make sense to configure two Auth groups (where each Auth group has its own unique authentication server) and configure each Connection Group to have its own Auth group.

 

You might also want to look at using the group lock feature. If your authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response then group lock can make sure that users are selecting the particular group that they belong to.

 

HTH

 

Rick

Frequent Contributor

 Hi Rick,There is infoOur ASA

 

Hi Rick,

There is info

Our ASA is configured with two connection groups.Our Vendor has XML files of both the

Connection groups say                                      1 and 2.

AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.

We are using 2 factor Authentication.

We want vendor to connect to connection group 2 only.

We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.

If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will

it restrict the vendors connection to connection group 2 only?

Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?

Need to know how i can do this?

 

Regards

MAhesh

 

 

Highlighted
Hall of Fame Master

Mahesh If you have a single

Mahesh

 

If you have a single authentication server (or a pair of servers in HA operation) then it would seem that the vendor would be authenticated no matter which group they are attempting to access.

 

I have a customer that looked into using the group lock feature to accomplish something similar to what you describe. They used RSA two factor authentication as you do. What they looked into was to send the authentication request to a Radius server. The Radius server would send the ID and code entered to RSA to do the two factor authentication and the Radius server would also querry Active Directory to learn about group membership of the user. The Radius server then would return the results from RSA and the group ED to the ASA which would use group lock feature to be sure that the user was accessing the right group. Perhaps something like that might work for you?

 

HTH

 

Rick

Frequent Contributor

 Hi Rick, I will look into

 

Hi Rick,

 

I will look into this and try to do this via sending query to Active Directory also.

Regards

Mahesh