09-22-2011 09:42 AM - edited 02-21-2020 05:36 PM
Hello,
I'm trying to block the L2TP over IPSEC,and allow Clientless VPN for a group from the Active Directory (with a radius server).
But I've failed to deny the ipsec access...
I have two groups that have a differents class.25 attributes:
CN=IPSEC_user;
CN=WebSSL_user;
And I want deny the ipsec acces for CN=WebSSL_user but I want allow this one to access Clientless SSL VPN! and vice versa forCN=IPSEC_user;
For the group IPSEC_user there is no problem (I've disabled almost everything in a DAP), But for CN=WebSSL_user I don't know how to deny the IPSEC access.
09-26-2011 05:05 AM
Hi Ludovic,
in the group-policy you can specify which protocols are allowed to be used:
group-policy WebSSL_user attributes
vpn-tunnel-protocol webvpn
group-policy IPsec_user attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
(depending on the ASA version, you may or may not need to specify IPsec in addition to l2tp-ipsec).
You could also push these from the Radius server, I don't know the attribute to use off the top of my head but let me know if you need it.
hth
Herbert
09-27-2011 07:33 AM
Hi Herbert, thx for the answer.
I have it, I just added in the radius class 25 attribute "OU=grouppolicyname;"
I.E. for SSL only in the radius classe 25 attribute I have "OU=WebSSLGroup;CN=WebSSL_user;"
09-30-2011 12:13 AM
Oh I completely overlooked that, you were using CN instead of OU. Note that the CN is ignored by the ASA, so only the OU is used to define the group-policy.
I'm just guessing now, but if you meant to assign a tunnel-group, that is not possible, because the radius authentication only takes place after a tunnel-group has already been selected (since authentication is a property of the tunnel-group).
In this kind of scenario that is usually not a problem, it is ok for all users to even connect to the same tunnel-group, and just get different group-policies.
If for some reason you do want to have 2 tunnel-groups and want to prevent that users connect to the 'wrong' one, then you can use the group-lock feature for that - this will deny the connection if the user connected to the wrong TG.
i.e.
group-policy WebSSL_user attributes
vpn-tunnel-protocol webvpn
group-lock value myWebSSLTunnelGroup
hth
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide