ASA and ACS 5 multiple VPN profiles for one user

Dominic Stalder (old profile) · ‎05-22-2012

Hi there

I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:

ACS 5.3 group hierarchy:

- VPN users global

-- VPN users A

-- VPN users B

ASA VPN profiles:

- VPN profile A

- VPN profile B

- VPN profile Z

VPN authorizations:

1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)

2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)

3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)

Thanks a lot in advance and best regards

Dominic

Herbert Baerten · ‎05-31-2012

Hi Dominic,

first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.

The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.

The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.

So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".

In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.

However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:

vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
vendor ID = 3076, attribute 150 is "Client Type" (integer)
0 = No Client specified  1 = Cisco VPN Client (IKEv1)  2 = AnyConnect Client SSL VPN  3 = Clientless SSL VPN  4 = Cut-Through-Proxy  5 = L2TP/IPsec SSL VPN  6 = AnyConnect Client IPsec VPN (IKEv2)

So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.

If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.

hth

Herbert

Mikayil Qasimov · ‎05-31-2012

hi,

It's possible. First of all you need to create vpn profile A and B , after these you need to create access policy and there identity group witch group want to give access and add A,B profiles that profile section. You need to just create access policy rule after group and profiles configuration.

Sent from Cisco Technical Support iPad App

Dominic Stalder (old profile) · ‎05-31-2012

Hi Herbert

thanks a lot for your great answer, I will do some tests on that, but on the ASA side I need support from the customer, I am not very familiar with the ASA configuration.

But on ACS side, I should be able to achieve the configuration needed for my requirements. I will get back to this discussion as soon as I have more questions or information.

Best regards

Dominic