Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4392
Views
5
Helpful
4
Replies

Group-lock feature in ASA

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-24-2014 02:08 PM

Hi Community, 

We have the following: 

  • IPsec VPN clients terminating at ASA. 
  • ASA authenticating VPN users against RSA server for token,user/pass via ACS using the SDI protocol. 
  • RSA checks the user database in AD. 

We want to restrict the VPN users to a specific connection profile (just as with the "group-lock" feature). 

Do we need to use RADIUS and if so, the ASA needs to "talk" directly to AD? 

Thank you, 

 

 

 

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-24-2014 03:09 PM

If you're using the legacy IPsec VPN client, the group name in the authentication box matches the tunnel-group (also known as connection profile) on the ASA. The preshared key of that tunnel-group ties the users to that particular group. That's independent of any RSA authentication and/or RADIUS authorization.

Of course with SSL or IPSec IKEv2 VPNs (AnyConnect Secure Mobility client), you would use the group-lock feature to restrict a user or group to a given connection profile.

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎03-24-2014 03:12 PM

Marvin, the problem is different. 

Users get to connect using the legacy IPsec client because there's no real control on the .PCF distribution among the company. 

So, a user not authorized to connect using profile "B", can connect and have access if someone shares the .PCF file with this person. 

So, using the legacy VPN client how to "lock" the user to a specific group when the user database is in AD but the authentication is against an RSA? 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Federico Coto Fajardo

‎03-25-2014 11:43 AM

You have a couple of options in your case.

You could setup RADIUS for authorization as you alluded to earlier. That's in addition to the authentication you are doing via SDI to the LDAP backend. In the RADIUS setup you could assign downloadable ACLs etc. to restrict unauthorized users from using profiles inappropriately.

The better long term solution would be to just move to AnyConnect clients and use SSL VPN with the greater flexibility you have using connection profile lock and other mechanisms to restrict user access to the desired resources.

The most secure option would be to deploy individual user certificates using a PKI (and potentially SCEP) and prefill the username from the certificate. That's a non-trivial undertaking if there's no PKI currently in place but can result in a very nicely secured setup.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎04-04-2014 02:22 PM

Ok, what will be best suited for the following scenario: 

IPsec VPN clients only terminating on ASA. 

The VPN clients authenticate using dual-factor against RSA for token and against AD for user/pass. 

The authentication should be done via the ACS. 

Given the above scenario, how do I configure the devices to lock down the VPN clients to specific tunnel-groups in the ASA? 

For example: The ASA will only have as AAA server the ACS, and the ACS will both handle the RSA and AD authentication besides the attribute to lock down the users to specific groups? And if so, the ACS will send this info. to the ASA? 

Or, do I configure DAP policies to accomplish this? 

Thank you, 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents