Re: ASA VPN IPSec rule based on AD user

CCCcisco_2 · ‎07-09-2011

Need a ASA rule that allows only a specific VPN user access to a specific internal IP. Is there a way to do this? We use ACS for AD authentication for the remote VPN users, so the user is known? Can I do this in the ASA (preferred), or do we need to get creative with the ACS? We use a IP pool for the VPN user IPs, so I don't know the user IP ahead of time.

Thanks,

-Keith

Sent from Cisco Technical Support iPad App

Nicolas Fournier · ‎07-09-2011

Hi Keith,

I see two ways to do this but both of them will require a little help from the ACS server.

1.) Different group-policies

You can set the group policy the user will be put into by setting the attribute 25 value on the ACS to "OU=

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

Once this is done, you can bind a different vpn-filter to each group-policy and control your user access through this mean.

2.) Setting up the vpn-filter on the ACS directly.

You can define the vpn-filter on the ACS directly through the AV-pair attribute on your ACS. With this method, you can have all users share the same group-policy but use different vpn filters.

More info on how to set this up:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/extsvr.html#wp1675755

Regards,

Nicolas

CCCcisco_2 · ‎07-09-2011

Thanks, I'll try your suggestions.

- Keith

Sent from Cisco Technical Support iPad App

rnbutturini · ‎07-09-2011

Hey Keith,

We tried this and found it was much easier to bypass ACS and go straight to AD using LDAP, and map to different VPN group policies based on AD group membership. Much cleaner and lots more options for control.

Russell

Sent from Cisco Technical Support iPad App