08-06-2013 06:26 AM
Hello,
I'm running on ASAv9 and anyconnect to provide SSL VPN tunnel. Each tunnel give access to a different network from the outside on an unique public IP adress.
Each network tunnel can be mount with a unique URL like https://aa.bb/tunnelA and https://aa.bb/tunnelB
My users are identifiying by an external Radius (user1@domainA.local)
Everything works great except one thing : One user restricted to acces at the tunnelA can mount the TunnelB if it know the url of the tunnelB (with userID defined for tunnelA).
exemple, on anyconnect client, user1@tunnelB.local can open the tunnelA on the url https://aa.bb/tunnelA
This is a huge security risk.
I don't know how it's possible.
I've configured each tunnel like this : [Edit] See attached file for config, cannot paste plain text code
Anyone can explain me how to link a userID to a tunnel url or wathever ?
Maybe it's my radius server who don't recieve or determine witch domain try to be accessed when url of tunnelA was send, and can't match the url domain and user domain.
Thanks for reading.
08-07-2013 02:21 AM
Have a look into group-lock (it can be sent over RADIUS). Basically you can bind a particular user to a particular group.
M.
08-08-2013 12:06 AM
Thanks a lot for your reply, I will try it and come back to give some news.
If I've understand, I do modify my group-policy attributes to add :
group-lock value
And and add adress-pool ip_pool to my tunnel-group like :
tunnel-group my_tunnel-group type remote-access
tunnel-group my_tunnel-group type general-attribute
adress-pool ip_pool <<< correspond to the ip local pool ... of this tunnel
authentication-server-group RADIUS_SRV
authorization-server-group RADIUS_SRV
default-group-policy my_group-policy <<< Where my group-lock value
right ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide