Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2353
Views
0
Helpful
4
Replies

How to restrict SSLVPN / WebVPN access to specific users?

networking_nwis
Level 1
Level 1

‎11-05-2010 10:18 AM

Hi all,

The subject says it all really...  We have an established IPSEC VPN service running on ASA 5540s with several thousand regular users.

I am in the process of trialling WebVPN but I don't want just anyone to be able to connect to it.  I'd like to provide the ASA with a list of usernames that are permitted access to the WebVPN service during the piloting stage.

User authentication is handled by Cisco Secure ACS, which backs off to RSA SecureID, and valid users have a SecurID Token.

I don't believe having the user restriction on the ACS is the way forward as using Permitted Calling Points is the only way I can think of to do this, which would prevent all users from dialling in over IPSEC.

Can anyone advise how I can lock access to WebVPN down to a list of users WITHOUT simultaneously affecting access via IPSEC?

Many thanks in advance,

Nick

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-06-2010 07:50 PM

Hi,

During the test phase, you can configure SSL VPN on the ASA to authenticate locally for example.

Users that want to connect via SSL (either client-less or client-based) will be prompted for local authentication. You define a local database on the ASA of valid users.

The IPsec clients and the SSL clients can be configured to use different group-policies and the group-policy for SSL will have a local authentication option.

This is not the ideal scenario, but you can have just a few users testing SSL while you decide to have the SSL clients authenticate against the ACS and RSA servers.

Federico.

0 Helpful

networking_nwis
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-08-2010 12:04 AM

Hi Federico,

Many thanks for taking the time to respond :-)

Using local auth was one of the things I'd considered, however our security policy prevents me from using this unfortunately.  I was wondering about the possibility of using DAP?

Unfortunatly the Cisco documentation on the use of DAP is a clear as ever - i.e. about as clear as mud!

Do you or anyone know of a decent document explaining how to implement DAP, or know enough to be able to explain it a little better?

Many Thanks,

Nick

0 Helpful

S M85
Level 4
Level 4

‎11-08-2010 04:10 AM

Nick,

Is the ASA talking directly to ACS with radius or tacacs? Your ACS server can provide attribute 25 with the right group policy (tunnel policy). Only the right users that are a member of the group can do a succesfully login.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

regards,

Sander

0 Helpful

networking_nwis
Level 1
Level 1
In response to S M85

‎11-08-2010 05:30 AM

Hi Sander,

We use TACACS+ for Admin Authentication (SSH & ASDM) and RADIUS for user access.

That is a great looking document - I will have a read, thank you.

We were looking for something like this a few years ago when we were originally setting up our RA solution, and came up completely empty!

Nick

0 Helpful
Customers Also Viewed These Support Documents