09-14-2012 09:11 AM
Hello I am setting up an ASA to authenticate users to a radius box. However once they are set up whats to stop them from getting another pcf file and authenticating with that pcf file and accessing the networks specific to that pcf file? Is there a way to segment users? Once I set up the radius authentication can a user just use whatever pcf file they want and authentica that way?
09-14-2012 09:23 AM
If you don't take any precautions, then it is possible that a user connects with a different PCF. You can configure group-lock or better, use a default group-policy that won't allow any access and assign the right group-policy with the RADIUS authorization-response.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-14-2012 09:41 AM
Just adding to Karsten's recommendation, this guide shows how to use the ACS to assign the group-policy with the class attribute:
After assigning the attribute for allowed users you can just set a default group-policy denying access, similar to the following:
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
It can also be done with a Microsoft server using RADIUS policies to assign attribute 25
09-14-2012 09:54 AM
So with the group policies if one of my customers gets ahold of a pcf file they won't be able to authenticate? Wouldn't they just authenticate under a different group?
09-14-2012 09:57 AM
That's what the group-lock feature Karsten suggested is for, it will bind a tunnel-group to a group-policy, if you authenticate to a tunnel-group but the RADIUS mapping sends you to a group-policy different than the one specified in the group-lock value your connection attempt will be denied.
Further reading:
https://supportforums.cisco.com/thread/2085928
Herbert's reply offeres a very good explanation on how this feature works.
09-14-2012 09:57 AM
Hi,
Just adding more information about group-lock and RADIUS:
Thanks.
Portu.
Please rate any posts you find helpful.
09-14-2012 09:59 AM
Thank you for all your help!
09-14-2012 10:08 AM
Hi Jeff,
You are welcome
Please take 1 minute to rate any posts you found helpful and mark it as answered.
Message was edited by: Javier Portuguez
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide