cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
266
Views
0
Helpful
1
Replies
Highlighted
Beginner

Authentication and Authorization

Hi all,

I currently have serveral connection profiles setup.  I have a Connection Profile A that everyone uses for general connectivity and I have a Connection Profile B that only a specific subset of users (i.e. DB Admins) use.  Both use RSA to authenticate to their respective profiles.  Is there a further way to isolate these profiles from each other?.  For connection profile A they would use RSA and be a member of an LDAP group named 'Remote Users' and connection profile B they must use RSA to authenticate and be a member of an LDAP group named 'DBA'.  If this is possible, suggestions/documentation are welcomed.  I looked at the Authentication and Authorization within the profiles.  Maybe I need further explanation of what each does.

Thanks in Advance.

Everyone's tags (2)
1 REPLY 1
Highlighted
Rising star

Authentication and Authorization

There are multiple approaches that you can take.  ASA 8.2 and later supports double authentication allowing you to have a primary and secondary authentication method. You can also look into dynamic group-policy assignment based on LDAP or RADIUS attributes and then lock the user to a particular tunnel group using the group-lock feature.  This will prevent a user from "Remote Users" from logging in as "DBA" and vice versa.  You can also look into DAP policies which can be used to restrict connections based on a configured set of rules.

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1243545

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

http://www.cisco.com/en/US/customer/products/ps6120/products_white_paper09186a00809fcf38.shtml