Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
3
Replies

Deny IPSEC and allow Clientless VPN for a group

groupedlsi
Level 1
Level 1

‎09-22-2011 09:42 AM - edited ‎02-21-2020 05:36 PM

Hello,

I'm trying to block the L2TP over IPSEC,and allow Clientless VPN for a group from the Active Directory (with a radius server).

But I've failed to deny the ipsec access...

I have two groups that have a differents class.25 attributes:

CN=IPSEC_user;

CN=WebSSL_user;

And I want deny the ipsec acces for CN=WebSSL_user but I want allow this one to access Clientless SSL VPN! and vice versa forCN=IPSEC_user;

For the group IPSEC_user there is no problem (I've disabled almost everything in a DAP), But for CN=WebSSL_user I don't know how to deny the IPSEC access.

Labels:
0 Helpful
3 Replies 3

Herbert Baerten
Cisco Employee
Cisco Employee

‎09-26-2011 05:05 AM

Hi Ludovic,

in the group-policy you can specify which protocols are allowed to be used:

group-policy WebSSL_user attributes

  vpn-tunnel-protocol webvpn

group-policy IPsec_user attributes

  vpn-tunnel-protocol IPSec l2tp-ipsec

(depending on the ASA version, you may or may not need to specify IPsec in addition to l2tp-ipsec).

You could also push these from the Radius server, I don't know the attribute to use off the top of my head but let me know if you need it.

hth

Herbert

0 Helpful

groupedlsi
Level 1
Level 1
In response to Herbert Baerten

‎09-27-2011 07:33 AM

Hi Herbert, thx for the answer.

I have it, I just added in the radius class 25 attribute "OU=grouppolicyname;"

I.E. for SSL only in the radius classe 25 attribute I have "OU=WebSSLGroup;CN=WebSSL_user;"

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to groupedlsi

‎09-30-2011 12:13 AM

Oh I completely overlooked that, you were using CN instead of OU. Note that the CN is ignored by the ASA, so only the OU is used to define the group-policy.

I'm just guessing now, but if you meant to assign a tunnel-group, that is not possible, because the radius authentication only takes place after a tunnel-group has already been selected (since authentication is a property of the tunnel-group).

In this kind of scenario that is usually not a problem, it is ok for all users to even connect to the same tunnel-group, and just get different group-policies.

If for some reason you do want to have 2 tunnel-groups and want to prevent that users connect to the 'wrong' one, then you can use the group-lock feature for that - this will deny the connection if the user connected to the wrong TG.

i.e.

group-policy WebSSL_user attributes

  vpn-tunnel-protocol webvpn

  group-lock value myWebSSLTunnelGroup

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents