cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
464
Views
5
Helpful
7
Replies
Highlighted
Beginner

ASA Radius authentication concerns

Hello I am setting up an ASA to authenticate users to a radius box.  However once they are set up whats to stop them from getting another pcf file and authenticating with that pcf file and accessing the networks specific to that pcf file?  Is there a way to segment users?  Once I set up the radius authentication can a user just use whatever pcf file they want and authentica that way?

7 REPLIES 7
Highlighted
VIP Mentor

If you don't take any precautions, then it is possible that a user connects with a different PCF. You can configure group-lock or better, use a default group-policy that won't allow any access and assign the right group-policy with the RADIUS authorization-response.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Highlighted

Just adding to Karsten's recommendation, this guide shows how to use the ACS to assign the group-policy with the class attribute:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

After assigning the attribute for allowed users you can just set a default group-policy denying access, similar to the following:

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

It can also be done with a Microsoft server using RADIUS policies to assign attribute 25

Highlighted

So with the group policies if one of my customers gets ahold of a pcf file they won't be able to authenticate?  Wouldn't they just authenticate under a different group?

Highlighted

That's what the group-lock feature Karsten suggested is for, it will bind a tunnel-group to a group-policy, if you authenticate to a tunnel-group but the RADIUS mapping sends you to a group-policy different than the one specified in the group-lock value your connection attempt will be denied.

Further reading:

https://supportforums.cisco.com/thread/2085928

Herbert's reply offeres a very good explanation on how this feature works.

Highlighted

Hi,

Just adding more information about group-lock and RADIUS:

How to configure group lock through the RADIUS server on an ASA

Thanks.

Portu.

Please rate any posts you find helpful.

Highlighted

Thank you for all your help!

Highlighted

Hi Jeff,

You are welcome

Please take 1 minute to rate any posts you found helpful and mark it as answered.

Message was edited by: Javier Portuguez