09-22-2011 09:42 AM - edited 02-21-2020 05:36 PM
Hello,
I'm trying to block the L2TP over IPSEC,and allow Clientless VPN for a group from the Active Directory (with a radius server).
But I've failed to deny the ipsec access...
I have two groups that have a differents class.25 attributes:
CN=IPSEC_user;
CN=WebSSL_user;
And I want deny the ipsec acces for CN=WebSSL_user but I want allow this one to access Clientless SSL VPN! and vice versa forCN=IPSEC_user;
For the group IPSEC_user there is no problem (I've disabled almost everything in a DAP), But for CN=WebSSL_user I don't know how to deny the IPSEC access.
09-26-2011 05:05 AM
Hi Ludovic,
in the group-policy you can specify which protocols are allowed to be used:
group-policy WebSSL_user attributes
vpn-tunnel-protocol webvpn
group-policy IPsec_user attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
(depending on the ASA version, you may or may not need to specify IPsec in addition to l2tp-ipsec).
You could also push these from the Radius server, I don't know the attribute to use off the top of my head but let me know if you need it.
hth
Herbert
09-27-2011 07:33 AM
Hi Herbert, thx for the answer.
I have it, I just added in the radius class 25 attribute "OU=grouppolicyname;"
I.E. for SSL only in the radius classe 25 attribute I have "OU=WebSSLGroup;CN=WebSSL_user;"
09-30-2011 12:13 AM
Oh I completely overlooked that, you were using CN instead of OU. Note that the CN is ignored by the ASA, so only the OU is used to define the group-policy.
I'm just guessing now, but if you meant to assign a tunnel-group, that is not possible, because the radius authentication only takes place after a tunnel-group has already been selected (since authentication is a property of the tunnel-group).
In this kind of scenario that is usually not a problem, it is ok for all users to even connect to the same tunnel-group, and just get different group-policies.
If for some reason you do want to have 2 tunnel-groups and want to prevent that users connect to the 'wrong' one, then you can use the group-lock feature for that - this will deny the connection if the user connected to the wrong TG.
i.e.
group-policy WebSSL_user attributes
vpn-tunnel-protocol webvpn
group-lock value myWebSSLTunnelGroup
hth
Herbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: