cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8496
Views
25
Helpful
9
Replies

anyconnect vpn multiple group policy with RADIUS and OTP

satish.txt1
Level 1
Level 1

We have Cisco ASA for remote access VPN and we have LDAP server for centralized directory server and we using onelogin OTP service (for Token auth), at this point everything working great! 

 

But now i want to create multiple groups "sale", "marketing" and "finance", we are going to create ACL for each group so people can't access specific URL or application base on their role, now question is how to do that with RADIUS (also its in onlogin third party OTP)

9 Replies 9

GioGonza
Level 4
Level 4

Hello @satish.txt1

 

The way to do it is with attribute 25 from the RADIUS server, this is the way to map the user to specific group-policy and you can apply different rules to the configuration. 

 

This is the link for your reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html.

 

HTH

Gio

Thanks! 

 

so RADIUS will send attribute 25 but in my case we are using third party service "onelogin" who provide RADIUS + OTP service so in that case do i need to contact them to send that attributes? 

 

 

Hello @satish.txt1

 

If that is your case, you need to talk to them in order to generate the attribute 25 and make it work but checking on their Website I think this cannot be done: 

 

https://support.onelogin.com/hc/en-us/articles/202361670-Configuring-the-RADIUS-Server-Interface

 

Either way check with them and verify if that feasible. 

 

HTH

Gio

I talked to them and they don't have that feature where you can use RAIDUS attributes 25 or Cisco-VPN-Tunnel-Group-Name= etc.  

 

Is there any way i can create local user list and tell don't allow these uses in "A" group? does asa support that? 

 

or 

 

Can i create two ASA web portal where a.example.com and b.example.com and tie both URL with specific groups.? 

Hello @satish.txt1

 

For the first option, the ASA doesn´t support that feature. For second option, there is a way :) you can do group-url and apply a different URL for 2 different groups, with this you can perform different policies for each one of them. 

 

This is how you can do it: 

 

Group 1:

tunnel-group Employees-Group1 type remote-access
tunnel-group Employees-Group1 general-attributes
authentication-server-group (inside) RadiusACS12
accounting-server-group RadiusACS12
default-group-policy Employees-Group1
tunnel-group Employees-Group1 webvpn-attributes
group-url https://asa-vpn1.companyAsite.com/Employees-Group1 enable
webvpn
tunnel-group-list enable

 

Group 2:
tunnel-group Employees-Group2 type remote-access
tunnel-group Employees-Group2 general-attributes
authentication-server-group (inside) RadiusACS12
accounting-server-group RadiusACS12
default-group-policy Employees-Group2
tunnel-group Employees-Group2 webvpn-attributes
group-url https://asa-vpn2.companyBsite.com/Employees-Group2 enable
webvpn
tunnel-group-list enable

 

With this, the user can land to an specific group depending on the URL the users types it in, for example: 

 

https://asa-vpn1.companyAsite.com/Employees-Group1 

https://asa-vpn2.companyBsite.com/Employees-Group2

 

Two different URLs for two specific groups. 

 

This is the link for reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

 

HTH

Gio

Thanks that is great! 

 

what if Group-2 use Group-1 url in that case they can access all service right? or they will get permission denied? 

 

 

 

 

Hello @satish.txt1

 

Unfortunately, the users can connect to both of them since you are not doing any mapping forthe connection, they only need the other URL and as you are using the same authentication for both of them, they can connect and the ASA will apply the policy as per group connection but it not deny anything to those users. 

 

You will need to use RADIUS mapping, LDAP mapping or Certificate mapping but for your case it doesn´t apply. I´m sorry. 

 

HTH

Gio

I am going to build Freeradius server in house, it is possible i can use attributes Class 25 there and then proxy rest of my request to onelogin RADIUS. 

 

In short my FreeRadius will act like proxy and it will only handle group mapping. 

This is what i did, i have install freeradius server and did following configuration in post-auth section

 

if (LDAP-Group == "sales" ) {
	update reply {
                	Class = OU=GroupPolicy_ANYCONNECT-SALES;
		        Reply-Message = "You are Accepted"
        	}
	 }
	elsif (LDAP-Group == "finance" ) {
		update reply {
                	Class = OU=GroupPolicy_ANYCONNECT-FINANCE;
			Reply-Message = "You are Accepted"
		}
	}
	else {
		reject
	}

at ASA  (following sales and i have same one for finance) 

group-policy GroupPolicy_ANYCONNECT-SALES internal
group-policy GroupPolicy_ANYCONNECT-SALES attributes
 dns-server value 10.0.0.10 10.0.0.11
 vpn-filter value VPN-FILTER-SALES
 vpn-tunnel-protocol ssl-client
 group-lock value SALES
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ANYCONNECT-SALES
 default-domain value sales.com
!
!
tunnel-group SALES type remote-access
tunnel-group SALES general-attributes
 address-pool ANYCONNECT-POOL
 authentication-server-group RADIUS
 default-group-policy GroupPolicy_ANYCONNECT-SALES
tunnel-group SALES webvpn-attributes
 group-alias SALES enable

I am seeing ASA VPN allowing user A to authenticate in both tunnel, how do i lock down so user A won’t be able to authenticate in Finance and user B won’t be authenticate to Sales, in short user can only authenticate to own group profile.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: