Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
0
Helpful
5
Replies

Disallowing certain OU from logging into VPN.

acadia
Level 1
Level 1

‎02-25-2011 06:24 AM

I've got a ASA5510 with ASA8.3(1), and it's working fine with several group policies, currently handling IPSec and SSL connections. It is authenticating against our AD servers (radius) and I am wondering if it is possible to simply disallow members of a certain OU from connecting.  We have a "portal" OU in AD for users who need certain AD functionality, but we wish to disallow them from having VPN access.  Could someone point me towards a way to do this, if possible?

Thanks.

Labels:
0 Helpful
5 Replies 5

Yudong Wu
Level 7
Level 7

‎02-25-2011 09:12 AM

You can follow the attached example configuration.

Basically, you can do a LDAP map to map that OU to a group-policy which will deny the vpn access.

Preview file
76 KB
0 Helpful

acadia
Level 1
Level 1
In response to Yudong Wu

‎02-25-2011 10:06 AM

I've found lots of this information dictating how to do Group policy and Dynamic Access Policies with LDAP info, but, as I stated, I am using Radius, not LDAP, for authentication.  Short of reworking how the VPN handles authentication, is it possible to do what I'm trying to do?

0 Helpful

Yudong Wu
Level 7
Level 7
In response to acadia

‎02-25-2011 02:24 PM

If you are using Radius, you just need it to return a "IETF-Radius-Class-25 Attribute" to ASA (based on OU which you would like to deny VPN access), ASA will map this attribute to group-policy name directly.

What kind of Radius server are you using? It should be able to return the above attribute based on OU.

0 Helpful

acadia
Level 1
Level 1
In response to Yudong Wu

‎02-28-2011 04:40 AM

I'm not sure what the radius server is, truth to tell. That falls into someone else's department. I just know that I utilize it when needed for authentication against our active directory users (4000+ of them).  I've read about "IETF-Radius-Class-25 Attribute", and I've tried to create a dynamic access policy based on that, but it seems to let the portal OU in regardless of the fact.  Is this a non-default feature of a Radius server that I will have to get the Systems team to configure?

What is the "radius ID" number I would need to match the ou against in the dynamic access policy info, or is there another way I should be doing this?

0 Helpful

kaachary
Cisco Employee
Cisco Employee
In response to acadia

‎02-28-2011 08:01 AM

Can you provide the output of "debug aaa common 255" when you try to connect. You should be able to see the attribute returned in the debugs, and basis that create the DAP.

0 Helpful
Customers Also Viewed These Support Documents