Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1378
Views
0
Helpful
5
Replies

Cisco ASA with multiple groups for one user

PaulMalqmvist
Level 1
Level 1

‎10-15-2020 06:06 AM

Hi Experts

I have a setup with 1 ASAv used for AnyconnectVPN.
This is what I want to do:

1. I have 3 different users, User1, User2 and User3.
2. Authenication is done via Radius towards a Microsoft NPS-server.
3. User1 is member of AD-group Group1-remote
4. User2 is memeber of AD-group Group2-remote
5. User3 is member of both Group1-remote and Group2-remote
6. I have created 2 tunnel-groups, Group1 with group-url https://x.x.x.x/group1 and address-pool Group1, and Group2 with group-url https://x.x.x.x/group2 and address-pool Group2

When connecting to https://x.x.x.x/group1 using user1 or user3 I get authenticated and assigned IP-address from the address-pool Group1.
When connecting to https://x.x.x.x/group2 using user2 I get authenticated and assigned IP-address from the address-pool Group2.
But when connecting to https://x.x.x.x/group2 using user3 I authentication failed.

The reason for having this setup is that user3 should have access to 2 diffent network on the inside, but when user3 are connected to network1 he is not allowed to have access to network2, and vice versa.

Anyone who can point me in the right direction to solve this?

 

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎10-15-2020 06:19 AM

Hi @PaulMalqmvist 

What is the error in the NPS logs when user3 fails authentication?

 

The problem you might face is if someone connects to the wrong tunnel-group. You can amend your NPS rules to use "Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name" AND AD Groupname. So you only authenticate AD-Group1 users to Tunnel-Group1 and another for AD-Group2 and Tunnel-Group2.

 

HTH

0 Helpful

PaulMalqmvist
Level 1
Level 1
In response to Rob Ingram

‎10-15-2020 06:48 AM

Hi Rob

Thanks for your answer.

It's not the NPS that reject the logon, it's the ASA because the NPS returns Group1 and Group2 as attribute 25, but ASA only look at the first attribute in this case.

So I need something in the ASA to be able to differentiate between the 2 differnt URL's.

 

0 Helpful

Rob Ingram
VIP
VIP

‎10-15-2020 06:55 AM

Yes, that RADIUS AV I provided above will differentiate between whether the user connects from the different tunnel-groups. You will need 2 NPS rules, 1 for each tunnel-group/ad-group pair.

0 Helpful

PaulMalqmvist
Level 1
Level 1
In response to Rob Ingram

‎10-16-2020 12:17 AM

Hi Rob

Thank you for the answer.

Do you know howto configure this in Microsoft NPS, or point me to some documentation that describes this? I can't find out how to check the Radius attribute Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name in the conditions.

0 Helpful

mcoupe
Level 1
Level 1

‎04-13-2021 02:01 PM

Any response on a way to do this?  I'm trying to do something very similar and all my research says no dice, NPS won't filter on anything other than membership in an AD group.  So if you're trying to have one user in multiple groups and filter on some additional attribute no dice.  If the vpn would pass machine name or NPS would filter on Cisco radius attribute 146 problem solved.

 

FWIW, I'm trying to tie domain bound computers to an Always On vpn but let the same users connect personal mobile devices without the Always On requirement.  (FTD 6.6.0.1 and AnyConnect 4.9.x).  If someone has found a way I'd love to hear about it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents