12-30-2016 04:21 AM
Hi Cisco Experts,
I know there is a way to configure Ldap map for getting authentication ans authorization to specified groups only. Is there any way to configure the same for 2F authentication.
Let me brief you here my requirement.
I have configured 2 Remote Access VPNs(RAVPN1G and RAVPN2G) using RSA-2F authentication. Now there are 2 user-groups in RSA ( USER1G and USER2G). Now both user groups are able to login to both groups. We want to restrict in such a way so that USER1G should be able to login to RAVPN1G only but not to other one and vice versa. We can do it in RSA but is there any to define the same in ASA.
Please advise.
12-30-2016 09:16 AM
Is the ASA talking to the RSA server using Radius or SDI protocol?
If it is Radius, then you can use the Tunnel-Group-Lock feature along with Radius class attribute to lock an AD user to a particular tunnel-group.
http://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html#anc5
How it works:
User1G will have Radius class attribute (25) set to "OU=GroupPolicy1" on AD
User2G will have Radius class attribute (25) set to "OU=GroupPolicy2" on AD
GroupPolicy1 will have group-lock set to RAVPN1G and GroupPolicy2 will have RAVPN2G.
When User1 connects, they will receive the Group policy as GroupPolicy1 - which only allows them to connect via RAVPN1G. Similar for User2.
12-30-2016 12:28 PM
Hi Rahul,
Thanks for response but
1.> Users are not configured locally but it takes from Radius.(ASA is talking to RSA server using Radius)
2.>"OU=GroupPolicy1" on AD ( How AD is required here)
3.>Can you please give CLI configuration for class attribute (25) set to "OU=GroupPolicy1" on AD
01-02-2017 03:26 PM
1) If Radius is the protocol and RSA is using internally defined users (on the RSA server itself), then the server should reply back with Radius attribute 25 (Class) set to value as "OU=GroupPolicy1). There is no Cisco documentation on the RSA server part that I could find, but searching through RSA's docs, I was able to find information on setting Radius user attributes on RSA server here:
https://community.rsa.com/docs/DOC-59536
2) If AD was being used as identity store for users, the Radius attribute would be set on the Domain controller for the users. IF you are not using AD, then the RADIUS attribute has to be returned by RSA server.
3) For AD settings, please refer to the below guide:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html#anc9
The ASA does not require any configuration to map Class to Group-Policy, this is done automatically.
07-12-2018 06:52 AM
Hi Rahul,
can you help with following configuration.
currently ASA and AD integration is done and group policies are mapped to AD user group.
eg
ldap attribute-map ANYCONNECT
map-name memberOf Group-Policy
map-value memberOf "CN=CP-Users,OU=VPN-Access,OU=Corp-Users,DC=cisco,DC=org" CP-USERS-GP
now AD is replaced with Microsoft MFA and need to have similar kind of mapping. but i am not able to find relevant mapping under radius server.
(config-aaa-server-host)# ?
AAA server configuration commands:
accounting-port Specify the port number to be used for accounting
acl-netmask-convert Specify the ACL Downloadable Netmask Operation
authentication-port Specify the port number to be used for authentication
exit Exit from aaa-server host configuration mode
group-search-timeout Specify the maximum time to wait for response from
configured server when using the 'show ad-groups'
command
help Help for AAA server configuration commands
key Specify the secret used to authenticate the NAS to the
AAA server
mschapv2-capable Enter this keyword to indicate that the server supports
MSChap V2 requests
no Remove an item from aaa-server host configuration
proxy-auth_map Specify proxy auth protocol table type
radius-common-pw Specify a common password for all RADIUS authorization
transactions
retry-interval Specify the amount of time between retry attempts
timeout Specify the maximum time to wait for response from
configured server
how to get user group ( MFA - attribute 25 abstract from AD ) to match vpn group policy?
Thanks
Maduranga
07-12-2018 02:52 PM
This mapping is automatically done by the ASA for Radius without any config required. All you need to do is set the Class attribute (Radius 25) through NPS extension for MFA. The ASA will map this attribute to the group-policy.
NPS extension with Azure MFA is here:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
ASA NPS integration is here:
04-14-2020 03:04 AM
Perhaps some old topic, but almost same situation:
1) Cisco ASA
2) NPS as Radius
3) Two RA VPN profiles/groups (for example VPN1group, VPN2group) with different access rights and different VPN profiles (P1 and P2)
4) Users: us1, us2, us3, us4, us5
How to make us5 the member of both groups at the same time?
The goal is to allow user us5 to have both vpn profiles and to use corresponding profile based of access required.
Best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide