Authentication and Authorization

wngwngwng · ‎08-15-2011

Hi all,

I currently have serveral connection profiles setup. I have a Connection Profile A that everyone uses for general connectivity and I have a Connection Profile B that only a specific subset of users (i.e. DB Admins) use. Both use RSA to authenticate to their respective profiles. Is there a further way to isolate these profiles from each other?. For connection profile A they would use RSA and be a member of an LDAP group named 'Remote Users' and connection profile B they must use RSA to authenticate and be a member of an LDAP group named 'DBA'. If this is possible, suggestions/documentation are welcomed. I looked at the Authentication and Authorization within the profiles. Maybe I need further explanation of what each does.

Thanks in Advance.

Todd Pula · ‎08-15-2011

There are multiple approaches that you can take. ASA 8.2 and later supports double authentication allowing you to have a primary and secondary authentication method. You can also look into dynamic group-policy assignment based on LDAP or RADIUS attributes and then lock the user to a particular tunnel group using the group-lock feature. This will prevent a user from "Remote Users" from logging in as "DBA" and vice versa. You can also look into DAP policies which can be used to restrict connections based on a configured set of rules.

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1243545

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

http://www.cisco.com/en/US/customer/products/ps6120/products_white_paper09186a00809fcf38.shtml