cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4757
Views
5
Helpful
4
Replies

Group-lock feature in ASA

Hi Community, 

We have the following: 

  • IPsec VPN clients terminating at ASA. 
  • ASA authenticating VPN users against RSA server for token,user/pass via ACS using the SDI protocol. 
  • RSA checks the user database in AD. 

We want to restrict the VPN users to a specific connection profile (just as with the "group-lock" feature). 

Do we need to use RADIUS and if so, the ASA needs to "talk" directly to AD? 

Thank you, 

 

 

 

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

If you're using the legacy IPsec VPN client, the group name in the authentication box matches the tunnel-group (also known as connection profile) on the ASA. The preshared key of that tunnel-group ties the users to that particular group. That's independent of any RSA authentication and/or RADIUS authorization.

Of course with SSL or IPSec IKEv2 VPNs (AnyConnect Secure Mobility client), you would use the group-lock feature to restrict a user or group to a given connection profile.

Marvin, the problem is different. 

Users get to connect using the legacy IPsec client because there's no real control on the .PCF distribution among the company. 

So, a user not authorized to connect using profile "B", can connect and have access if someone shares the .PCF file with this person. 

So, using the legacy VPN client how to "lock" the user to a specific group when the user database is in AD but the authentication is against an RSA? 

You have a couple of options in your case.

You could setup RADIUS for authorization as you alluded to earlier. That's in addition to the authentication you are doing via SDI to the LDAP backend. In the RADIUS setup you could assign downloadable ACLs etc. to restrict unauthorized users from using profiles inappropriately.

The better long term solution would be to just move to AnyConnect clients and use SSL VPN with the greater flexibility you have using connection profile lock and other mechanisms to restrict user access to the desired resources.

The most secure option would be to deploy individual user certificates using a PKI (and potentially SCEP) and prefill the username from the certificate. That's a non-trivial undertaking if there's no PKI currently in place but can result in a very nicely secured setup.

Ok, what will be best suited for the following scenario: 

IPsec VPN clients only terminating on ASA. 

The VPN clients authenticate using dual-factor against RSA for token and against AD for user/pass. 

The authentication should be done via the ACS. 

Given the above scenario, how do I configure the devices to lock down the VPN clients to specific tunnel-groups in the ASA? 

For example: The ASA will only have as AAA server the ACS, and the ACS will both handle the RSA and AD authentication besides the attribute to lock down the users to specific groups? And if so, the ACS will send this info. to the ASA? 

Or, do I configure DAP policies to accomplish this? 

Thank you,