Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
2
Replies

WebVPN Clientless Portal - Contractor Solution

Go to solution
Ben Cargill
Level 1
Level 1

‎04-02-2013 06:03 AM

I am setting up a 5520 ASA for a WebVPN Clientless portal.  This is for Non Company, Outside Contractor access Only.

The goal is to make it so each different Contractor will have their own very specific access to what is needed inside.

It looks like I can do this with a Web ACL and filter on a URL or Address / Service and then assign to either a group policy or DAP.

I will have the ASA pointing using Radius to an Entrust server for Authentication with a one time password.

The hang up I'm having is how do I uniquely identify the different contractors so they can only login with their specific Group Policy / Tunnel Group / Web ACL and not login to any others and have their access.  Either if Its setup so they pick their specific group from the portal login page or If using a DAP to dynamically assign that.

The old setup we had was just IPSEC using the old VPN client.  Would create the Tunnel group and Group policy for the contractor / company and provide them the PCF file with all the information, and have a VPN-filter to only allow specific access.

I'm now just trying to figure the best most appropriate way to do this but with the Clientless portal and possibly the AnyConnect client.

Any recommendations / assistance would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-02-2013 07:47 AM

Ben,

You can provide the contractors separate (group) URLs for each of the contractor groups.

i.e. https://asa.mycompany.tld/Contractor_CompanyA

and https://asa.mycompany.tld/JohnContractorsky

The group-url maps to a particular tunnel group.

On top (if entrust can do that) you can send group-lock from server to make sure that user belonging to group A do not log in to group B's resources.

M.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-02-2013 07:47 AM

Ben,

You can provide the contractors separate (group) URLs for each of the contractor groups.

i.e. https://asa.mycompany.tld/Contractor_CompanyA

and https://asa.mycompany.tld/JohnContractorsky

The group-url maps to a particular tunnel group.

On top (if entrust can do that) you can send group-lock from server to make sure that user belonging to group A do not log in to group B's resources.

M.

0 Helpful

Go to solution
Ben Cargill
Level 1
Level 1
In response to Marcin Latosiewicz

‎04-02-2013 12:30 PM

I forgot about the Group URL's.  That will help me.  I'll have to investigate if Entrust can do group-lock, I know you can in ACS.  Thanks for the reply.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents