ASA RAVPN: Single Certificate Auth -> 2 IP address pools segmentation
I am working on a particular problem of assign multiple groups of VPN users to 2 separate IP address pools. The issue is easily solvable using group authentication, since you can bind an IP address pool to a group in Cisco ASA configuration:
hostname(config)# tunnel-group testgroup type ipsec-ra
When I configure a VPN client to use a digital certificate, this option of selecting a “group” goes away. Is it possible to segment groups of VPN users to different IP pools, when they are auth-ing with certificates? Some ideas I have:
-Use to different trustpoints: messy because each client has to be issues new certificates or
-Somehow bind group1 to a different external ASA ip address: don’t know if I can configure multiple IP address to support different VPN’s on one ASA?
-Explore “mutual group authentication”: the definition is confusing in itself however and I cannot even decide what it does and if it will work for this.
Community Live Event Video
Are you ready to level up your security? Learn more about how Cisco SecureX can help you simplify your security and maximize operational efficiency.
This event talks about Cisco SecureX, its benefits, features, and usage. Th...
Hi all,I cannot understand why is something working very well they create a way to complicate things in Cisco ASA OS. I have a rule :object network LOCAL_ADRESS1 host 192.168.20.12 nat (VLAN20,outside) source static LOCAL_ADRESS1 interface&...
It is our pleasure to officially announce the finalists in the 2021 IT Blog Awards. We are now looking to our amazing tech community to check out the amazing line up of bloggers, vloggers and podcasters. Make sure to vote for your favorites...
Community Live Event Slides
This event talks about Cisco SecureX, its benefits, features, and usage. The session includes sample use cases and live demonstrations.
Cisco expert Luis Silva talks about how this solution can integrate Cisco technology and ...
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....