10-23-2017 01:07 PM - edited 03-12-2019 04:39 AM
We have Cisco ASA for remote access VPN and we have LDAP server for centralized directory server and we using onelogin OTP service (for Token auth), at this point everything working great!
But now i want to create multiple groups "sale", "marketing" and "finance", we are going to create ACL for each group so people can't access specific URL or application base on their role, now question is how to do that with RADIUS (also its in onlogin third party OTP)
10-23-2017 02:49 PM
Hello @satish.txt1,
The way to do it is with attribute 25 from the RADIUS server, this is the way to map the user to specific group-policy and you can apply different rules to the configuration.
This is the link for your reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html.
HTH
Gio
10-23-2017 02:57 PM
Thanks!
so RADIUS will send attribute 25 but in my case we are using third party service "onelogin" who provide RADIUS + OTP service so in that case do i need to contact them to send that attributes?
10-23-2017 03:06 PM
Hello @satish.txt1,
If that is your case, you need to talk to them in order to generate the attribute 25 and make it work but checking on their Website I think this cannot be done:
https://support.onelogin.com/hc/en-us/articles/202361670-Configuring-the-RADIUS-Server-Interface
Either way check with them and verify if that feasible.
HTH
Gio
10-26-2017 09:24 AM
I talked to them and they don't have that feature where you can use RAIDUS attributes 25 or Cisco-VPN-Tunnel-Group-Name= etc.
Is there any way i can create local user list and tell don't allow these uses in "A" group? does asa support that?
or
Can i create two ASA web portal where a.example.com and b.example.com and tie both URL with specific groups.?
10-26-2017 09:42 AM
Hello @satish.txt1,
For the first option, the ASA doesn´t support that feature. For second option, there is a way :) you can do group-url and apply a different URL for 2 different groups, with this you can perform different policies for each one of them.
This is how you can do it:
Group 1:
tunnel-group Employees-Group1 type remote-access
tunnel-group Employees-Group1 general-attributes
authentication-server-group (inside) RadiusACS12
accounting-server-group RadiusACS12
default-group-policy Employees-Group1
tunnel-group Employees-Group1 webvpn-attributes
group-url https://asa-vpn1.companyAsite.com/Employees-Group1 enable
webvpn
tunnel-group-list enable
Group 2:
tunnel-group Employees-Group2 type remote-access
tunnel-group Employees-Group2 general-attributes
authentication-server-group (inside) RadiusACS12
accounting-server-group RadiusACS12
default-group-policy Employees-Group2
tunnel-group Employees-Group2 webvpn-attributes
group-url https://asa-vpn2.companyBsite.com/Employees-Group2 enable
webvpn
tunnel-group-list enable
With this, the user can land to an specific group depending on the URL the users types it in, for example:
https://asa-vpn1.companyAsite.com/Employees-Group1
https://asa-vpn2.companyBsite.com/Employees-Group2
Two different URLs for two specific groups.
This is the link for reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
HTH
Gio
10-26-2017 12:49 PM
Thanks that is great!
what if Group-2 use Group-1 url in that case they can access all service right? or they will get permission denied?
10-27-2017 07:29 AM
Hello @satish.txt1,
Unfortunately, the users can connect to both of them since you are not doing any mapping forthe connection, they only need the other URL and as you are using the same authentication for both of them, they can connect and the ASA will apply the policy as per group connection but it not deny anything to those users.
You will need to use RADIUS mapping, LDAP mapping or Certificate mapping but for your case it doesn´t apply. I´m sorry.
HTH
Gio
10-27-2017 07:58 AM
I am going to build Freeradius server in house, it is possible i can use attributes Class 25 there and then proxy rest of my request to onelogin RADIUS.
In short my FreeRadius will act like proxy and it will only handle group mapping.
11-01-2017 06:16 PM
This is what i did, i have install freeradius server and did following configuration in post-auth section
if (LDAP-Group == "sales" ) { update reply { Class = OU=GroupPolicy_ANYCONNECT-SALES; Reply-Message = "You are Accepted" } } elsif (LDAP-Group == "finance" ) { update reply { Class = OU=GroupPolicy_ANYCONNECT-FINANCE; Reply-Message = "You are Accepted" } } else { reject }
at ASA (following sales and i have same one for finance)
group-policy GroupPolicy_ANYCONNECT-SALES internal group-policy GroupPolicy_ANYCONNECT-SALES attributes dns-server value 10.0.0.10 10.0.0.11 vpn-filter value VPN-FILTER-SALES vpn-tunnel-protocol ssl-client group-lock value SALES split-tunnel-policy tunnelspecified split-tunnel-network-list value ANYCONNECT-SALES default-domain value sales.com ! ! tunnel-group SALES type remote-access tunnel-group SALES general-attributes address-pool ANYCONNECT-POOL authentication-server-group RADIUS default-group-policy GroupPolicy_ANYCONNECT-SALES tunnel-group SALES webvpn-attributes group-alias SALES enable
I am seeing ASA VPN allowing user A to authenticate in both tunnel, how do i lock down so user A won’t be able to authenticate in Finance and user B won’t be authenticate to Sales, in short user can only authenticate to own group profile.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: