09-12-2012 09:09 AM
Hello Guys,
Need some help here. We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
1. Employees and clients will access the URL https://sslvpn.bla.bla.com
2. They will select the appropriate group on where they should login.
3. Enter credentials, etc.
4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.
Can you guide me on how to restrict clientA to access the profile of clientB and vice versa. There will be around 30 client profiles and I want to make sure that they will only be authorized to access their respective profiles.
I read some articles on how this can be done on Cisco ACS 4.x but I'm using ACS 5.3.
Thanks in advance.
John
09-12-2012 10:09 AM
Hi John,
For this you can use:
1- Group-lock.
2- Group-URL or group ALIAS.
ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method
3- Radius authentication
ASA 8.0: Configure RADIUS Authentication for WebVPN Users
Let me know.
Thanks.
Portu.
Please rate any post you find helpful.
09-12-2012 10:54 AM
I just found the solution. There's this option in Cisco ACS 5.3 where in you can define this, DAP-Tunnel-Group-Name. This will match the tunnel-group selected by the user and I created a conditional statement in the ACS that it should match the Identity Group of the user and the tunnel-group to make it a pass.
I'm still trying to figure out my way here on SSLVPN but can you help me understand what a group-lock is? I have it on my configuration but I do not know its purpose.
Thanks,
John
09-12-2012 11:18 AM
Hi John,
The group-lock option restricts the group policy so it can only be use with the tunnel-group that is lock to it, if you send a group policy using the attributte 25 (Class) the users on that specific group will be getting only that group-policy and if the policy they are getting is link to a tunnel group (using the group-lock) they should be only able to connect to the tunnel group you defined on the group-lock command any other attempt would be deny.
Regards,
Luis Ramirez
VPN Team
Cisco TAC Support Engineer
09-12-2012 03:27 PM
John,
Please check Luis's explanation which is pretty clear (5 stars).
On the other hand, to give you a little bit more information to read:
Usage Guidelines
To disable group-lock, use the group-lock none command.
Group-lock restricts users by checking if the group configured in the VPN Client is the same as the tunnel group to which the user is assigned. If it is not, the ASA prevents the user from connecting. If you do not configure group-lock, the ASA authenticates users without regard to the assigned group.
Examples
The following example shows how to set group lock for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# group-lock value tunnel group name
From the ASDM:
Let me know if you have any further questions.
Portu.
Please rate any post you find helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide