cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
675
Views
0
Helpful
3
Replies
groupedlsi
Beginner

Deny IPSEC and allow Clientless VPN for a group

Hello,

I'm trying to block the L2TP over IPSEC,and allow Clientless VPN for a group from the Active Directory (with a radius server).

But I've failed to deny the ipsec access...

I have two groups that have a differents class.25 attributes:

CN=IPSEC_user;

CN=WebSSL_user;

And I want deny the ipsec acces for CN=WebSSL_user but I want allow this one to access Clientless SSL VPN! and vice versa forCN=IPSEC_user;

For the group IPSEC_user there is no problem (I've disabled almost everything in a DAP), But for CN=WebSSL_user I don't know how to deny the IPSEC access.

3 REPLIES 3
Herbert Baerten
Cisco Employee

Hi Ludovic,

in the group-policy you can specify which protocols are allowed to be used:

group-policy WebSSL_user attributes

  vpn-tunnel-protocol webvpn

group-policy IPsec_user attributes

  vpn-tunnel-protocol IPSec l2tp-ipsec

(depending on the ASA version, you may or may not need to specify IPsec in addition to l2tp-ipsec).

You could also push these from the Radius server, I don't know the attribute to use off the top of my head but let me know if you need it.

hth

Herbert

Hi Herbert, thx for the answer.

I have it, I just added in the radius class 25 attribute "OU=grouppolicyname;"

I.E. for SSL only in the radius classe 25 attribute I have "OU=WebSSLGroup;CN=WebSSL_user;"

Oh I completely overlooked that, you were using CN instead of OU. Note that the CN is ignored by the ASA, so only the OU is used to define the group-policy.

I'm just guessing now, but if you meant to assign a tunnel-group, that is not possible, because the radius authentication only takes place after a tunnel-group has already been selected (since authentication is a property of the tunnel-group).

In this kind of scenario that is usually not a problem, it is ok for all users to even connect to the same tunnel-group, and just get different group-policies.

If for some reason you do want to have 2 tunnel-groups and want to prevent that users connect to the 'wrong' one, then you can use the group-lock feature for that - this will deny the connection if the user connected to the wrong TG.

i.e.

group-policy WebSSL_user attributes

  vpn-tunnel-protocol webvpn

  group-lock value myWebSSLTunnelGroup

hth

Herbert

Content for Community-Ad