cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
804
Views
0
Helpful
3
Replies

Deny IPSEC and allow Clientless VPN for a group

groupedlsi
Level 1
Level 1

Hello,

I'm trying to block the L2TP over IPSEC,and allow Clientless VPN for a group from the Active Directory (with a radius server).

But I've failed to deny the ipsec access...

I have two groups that have a differents class.25 attributes:

CN=IPSEC_user;

CN=WebSSL_user;

And I want deny the ipsec acces for CN=WebSSL_user but I want allow this one to access Clientless SSL VPN! and vice versa forCN=IPSEC_user;

For the group IPSEC_user there is no problem (I've disabled almost everything in a DAP), But for CN=WebSSL_user I don't know how to deny the IPSEC access.

3 Replies 3

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Ludovic,

in the group-policy you can specify which protocols are allowed to be used:

group-policy WebSSL_user attributes

  vpn-tunnel-protocol webvpn

group-policy IPsec_user attributes

  vpn-tunnel-protocol IPSec l2tp-ipsec

(depending on the ASA version, you may or may not need to specify IPsec in addition to l2tp-ipsec).

You could also push these from the Radius server, I don't know the attribute to use off the top of my head but let me know if you need it.

hth

Herbert

Hi Herbert, thx for the answer.

I have it, I just added in the radius class 25 attribute "OU=grouppolicyname;"

I.E. for SSL only in the radius classe 25 attribute I have "OU=WebSSLGroup;CN=WebSSL_user;"

Oh I completely overlooked that, you were using CN instead of OU. Note that the CN is ignored by the ASA, so only the OU is used to define the group-policy.

I'm just guessing now, but if you meant to assign a tunnel-group, that is not possible, because the radius authentication only takes place after a tunnel-group has already been selected (since authentication is a property of the tunnel-group).

In this kind of scenario that is usually not a problem, it is ok for all users to even connect to the same tunnel-group, and just get different group-policies.

If for some reason you do want to have 2 tunnel-groups and want to prevent that users connect to the 'wrong' one, then you can use the group-lock feature for that - this will deny the connection if the user connected to the wrong TG.

i.e.

group-policy WebSSL_user attributes

  vpn-tunnel-protocol webvpn

  group-lock value myWebSSLTunnelGroup

hth

Herbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: