Using MS IAS For VPN AAA .. Works .. But Not Controlling Network Access
Hello All .. First post.. I have lurked here for years and have found sooo many answers, fixes and assistance for many of my problems and decided its time to give back and get some help at the same time =-)
Moving on..
I have an ASA 5520 working just fine doing AAA with MS IAS. I have 2 groups and I can log in as any user from those groups with no problems. Based on the split-tunnel-acl I have network access also with no problems.
What I'm trying to do though is figure out 2 things.
1. How can I use MS IAS to control network access.
What I would like is to have the GROUP_SplitTunnelAcl say something like:
- permit 10.10.1.0 255.255.255.0
But using MS IAS block access to 10.10.1.5
I understand that you can control the ACL of the VPN group by specifying an ACL in the filter-id.
I found this out here: http://support.microsoft.com/kb/283829 .. But I have still yet been able to make even that work out. I think it has to do with something on the IAS server.
- What i have added / tried already is:
* Service-Type: Login
- I have added Cisco av-pair in the following format and none work:
- ip:inacl#=deny icmp any host 10.10.1.5
- ip:inacl#99=deny icmp any host 10.10.1.5
- ip:access-list GROUP_splitTunnelAcl deny icmp any 10.10.1.5
I have also tried adding these statements in the Vendor specific attribute settings identifying the following
- Vendor-Specific Attribute: Cisco
- Vendor-assigned attribute number: 1
- ip:inacl#=deny icmp any host 10.10.1.5
- ip:inacl#99=deny icmp any host 10.10.1.5
- ip:access-list GROUP_splitTunnelAcl deny icmp any 10.10.1.5
2. How can ASA ACLs be written, applied and used (that might be 3 things as one!)
- Must they be standard format?
------ If so, this means you cant write them to block protocol (ICMP, TCP, WWW)0 access right?
------ If no then how come I cant get my DENY ACLs above the PERMIT statements to work?
What I found funny is that even trying to set a DENY using protocol (ICMP) in the GROUP_SplitTunnelAcl didnt even work and is not respected when connected VIA VPN. This is what makes me believe you cant write STANDARD ACLs to block protocol (ICMP, TCP, WWW) access.
So in short.. this thing works fine, but I'd like to do this per group/user network access control. I'd like to have the split-tunnel-acl say allow access to the 10.10.1.0/24 of a subnet, but for Group A deny IP access for 10.10.1.5 and for Group B deny tcp to 10.10.1.8 eq www.
Hope I'm painting a clear picture, If not.. I will provide was is needed to help you help me :-)
Thanks in advance and I'm really excited to be a person in need here at EE!
LBS
Moving on..
I have an ASA 5520 working just fine doing AAA with MS IAS. I have 2 groups and I can log in as any user from those groups with no problems. Based on the split-tunnel-acl I have network access also with no problems.
What I'm trying to do though is figure out 2 things.
1. How can I use MS IAS to control network access.
What I would like is to have the GROUP_SplitTunnelAcl say something like:
- permit 10.10.1.0 255.255.255.0
But using MS IAS block access to 10.10.1.5
I understand that you can control the ACL of the VPN group by specifying an ACL in the filter-id.
I found this out here: http://support.microsoft.com/kb/283829 .. But I have still yet been able to make even that work out. I think it has to do with something on the IAS server.
- What i have added / tried already is:
* Service-Type: Login
- I have added Cisco av-pair in the following format and none work:
- ip:inacl#=deny icmp any host 10.10.1.5
- ip:inacl#99=deny icmp any host 10.10.1.5
- ip:access-list GROUP_splitTunnelAcl deny icmp any 10.10.1.5
I have also tried adding these statements in the Vendor specific attribute settings identifying the following
- Vendor-Specific Attribute: Cisco
- Vendor-assigned attribute number: 1
- ip:inacl#=deny icmp any host 10.10.1.5
- ip:inacl#99=deny icmp any host 10.10.1.5
- ip:access-list GROUP_splitTunnelAcl deny icmp any 10.10.1.5
2. How can ASA ACLs be written, applied and used (that might be 3 things as one!)
- Must they be standard format?
------ If so, this means you cant write them to block protocol (ICMP, TCP, WWW)0 access right?
------ If no then how come I cant get my DENY ACLs above the PERMIT statements to work?
What I found funny is that even trying to set a DENY using protocol (ICMP) in the GROUP_SplitTunnelAcl didnt even work and is not respected when connected VIA VPN. This is what makes me believe you cant write STANDARD ACLs to block protocol (ICMP, TCP, WWW) access.
So in short.. this thing works fine, but I'd like to do this per group/user network access control. I'd like to have the split-tunnel-acl say allow access to the 10.10.1.0/24 of a subnet, but for Group A deny IP access for 10.10.1.5 and for Group B deny tcp to 10.10.1.8 eq www.
Hope I'm painting a clear picture, If not.. I will provide was is needed to help you help me :-)
Thanks in advance and I'm really excited to be a person in need here at EE!
LBS
ASKER
While this is useful, it doesn't help me with my problem at all though.. Thanks for the help though!
LBS
LBS
You can do it right on the ASA
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml
Split-tunnel ACL's are always standard acls on ASA
Review this link for information on downloadable acls using Radius
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043681
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml
Split-tunnel ACL's are always standard acls on ASA
Review this link for information on downloadable acls using Radius
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043681
ASKER
I understand its possible on the ASA, but I'm looking to do this using the MS IAS Cisco av-pair or other options.. Great link though..
LBS
LBS
The second link above should help.
ASKER
I see.. But if you see my original post.. I have tried this already.. I'll try again ...
ASKER
So I have tried using the Cisco av-pair and the vendor specific attributes.
I entered:
- For Cisco av-pair: ip:inacl#99=deny tcp any any
--- I was able to get to the web page of one of the server allowed access to in the split-tunnel-acl
- For vendor Specific
-- "Specify Network Access Server vendor" = Cisco
- "Yes. It conforms"
---- "Configure attribute"
-- Vendor-assigned attribute number = 1
-- Attribute format" = String
-- "Attribute value" = ip:inacl#99=deny tcp any any
I can still get to the webserver ..
Thanks
LBS
I entered:
- For Cisco av-pair: ip:inacl#99=deny tcp any any
--- I was able to get to the web page of one of the server allowed access to in the split-tunnel-acl
- For vendor Specific
-- "Specify Network Access Server vendor" = Cisco
- "Yes. It conforms"
---- "Configure attribute"
-- Vendor-assigned attribute number = 1
-- Attribute format" = String
-- "Attribute value" = ip:inacl#99=deny tcp any any
I can still get to the webserver ..
Thanks
LBS
ASKER
Is there anything additional I can provide to help you folks help me? Configs? More info?
LBS
LBS
The ASA config wouldn't hurt. Don't mask out too much information, and you can post it on http://www.ee-stuff.com for better security. Post the link back here.
ASKER
I believe I have found the problem ..
Here is the deal..
I am trying to authenticate to IAS for 2 VPN groups. The Radius Client IPs are obviously the same as they are sent out on the same interface.
It seems from the logs that IAS cannot determine the correct connection policy or friendly name
I have set additional parameters for the connection policy (friendly name, windows group, etc) , but it still seems that it cant sort out which to apply to the inbound requests.
Is my thinking right?
I have solved the original problem, by removing one of the VPN groups and applying the ACL as mentioned in my first post. but i was struck off course after looking at the event in IAS a little closer. So I'm wondering how I can overcome this issue.
Upping the points for this issue folks.. I'm stumped.. been working on this for 2 days now.. Any help is appreciated..
Thanks..
LBS
Here is the deal..
I am trying to authenticate to IAS for 2 VPN groups. The Radius Client IPs are obviously the same as they are sent out on the same interface.
It seems from the logs that IAS cannot determine the correct connection policy or friendly name
I have set additional parameters for the connection policy (friendly name, windows group, etc) , but it still seems that it cant sort out which to apply to the inbound requests.
Is my thinking right?
I have solved the original problem, by removing one of the VPN groups and applying the ACL as mentioned in my first post. but i was struck off course after looking at the event in IAS a little closer. So I'm wondering how I can overcome this issue.
Upping the points for this issue folks.. I'm stumped.. been working on this for 2 days now.. Any help is appreciated..
Thanks..
LBS
What you are describing sounds exactly like what I posted originally. You need to have two IAS policies and to use the class option to return the correct VPN group to the ASA.
ASKER
I have done this and the logs still show .. the incorrect policy being applied..
I have 2 different VPN groups in the ASA
Using 2 different users in different groups in AD and added into AD.
I tried using the client-friendly-name also so that an inbound connection coming from vpngroup1 in the asa will use the remote access policy b, but it just seems to ignore it.
I was thinking it was the fact its the same IP .. but I dont know anymore..
Lost..
LBS
I have 2 different VPN groups in the ASA
Using 2 different users in different groups in AD and added into AD.
I tried using the client-friendly-name also so that an inbound connection coming from vpngroup1 in the asa will use the remote access policy b, but it just seems to ignore it.
I was thinking it was the fact its the same IP .. but I dont know anymore..
Lost..
LBS
ASKER
Here are the relevant configs from the ASA..
This is the IT VPN config which works and I can apply an ACL using the Cisco av-pair and it works as the original problem issue.. There is no problem with this config..
--------------------------
ip local pool IT 10.10.1.5-10.10.1.50 mask 255.255.255.0
aaa-server server_IT_VPN protocol radius
reactivation-mode depletion deadtime 1
aaa-server server_IT_VPN (operations) host RADSVR
key XXXXXXXXXXXX
group-policy IT internal
group-policy IT attributes
dns-server value 10.10.1.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IT_splitTunnelAcl
default-domain value mydomain.com
tunnel-group IT type ipsec-ra
tunnel-group IT general-attributes
address-pool IT
authentication-server-grou
default-group-policy IT
tunnel-group IT ipsec-attributes
pre-shared-key *
--------------------------
This is the VPN group which wont work. In my VPN client I am using this groups credentials..
--------------------------
ip local pool operations_USERS 10.10.1.51-10.10.1.100.100
aaa-server operations_USERS protocol radius
reactivation-mode depletion deadtime 1
aaa-server operations_USERS (operations) host RADSVR
key XXXXXXXXXXXX
group-policy operations_USERS internal
group-policy operations_USERS attributes
dns-server value 10.10.1.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value operations_USERS_splitTunn
default-domain value mydomain.com
tunnel-group operations_USERS type ipsec-ra
tunnel-group operations_USERS general-attributes
address-pool operations_USERS
authentication-server-grou
default-group-policy operations_USERS
tunnel-group operations_USERS ipsec-attributes
pre-shared-key *
--------------------------
This is just for router authentication using the radius server, this works with no problems. Its how I get into the ASA.
aaa-server EXT_ROUTER-ACCESS protocol radius
reactivation-mode depletion deadtime 1
aaa-server EXT_ROUTER-ACCESS (operations) host RADSVR
key XXXXXXXXXXXX
--------------------------
Hope this helps ..
Thanks..
LBS
This is the IT VPN config which works and I can apply an ACL using the Cisco av-pair and it works as the original problem issue.. There is no problem with this config..
--------------------------
ip local pool IT 10.10.1.5-10.10.1.50 mask 255.255.255.0
aaa-server server_IT_VPN protocol radius
reactivation-mode depletion deadtime 1
aaa-server server_IT_VPN (operations) host RADSVR
key XXXXXXXXXXXX
group-policy IT internal
group-policy IT attributes
dns-server value 10.10.1.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IT_splitTunnelAcl
default-domain value mydomain.com
tunnel-group IT type ipsec-ra
tunnel-group IT general-attributes
address-pool IT
authentication-server-grou
default-group-policy IT
tunnel-group IT ipsec-attributes
pre-shared-key *
--------------------------
This is the VPN group which wont work. In my VPN client I am using this groups credentials..
--------------------------
ip local pool operations_USERS 10.10.1.51-10.10.1.100.100
aaa-server operations_USERS protocol radius
reactivation-mode depletion deadtime 1
aaa-server operations_USERS (operations) host RADSVR
key XXXXXXXXXXXX
group-policy operations_USERS internal
group-policy operations_USERS attributes
dns-server value 10.10.1.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value operations_USERS_splitTunn
default-domain value mydomain.com
tunnel-group operations_USERS type ipsec-ra
tunnel-group operations_USERS general-attributes
address-pool operations_USERS
authentication-server-grou
default-group-policy operations_USERS
tunnel-group operations_USERS ipsec-attributes
pre-shared-key *
--------------------------
This is just for router authentication using the radius server, this works with no problems. Its how I get into the ASA.
aaa-server EXT_ROUTER-ACCESS protocol radius
reactivation-mode depletion deadtime 1
aaa-server EXT_ROUTER-ACCESS (operations) host RADSVR
key XXXXXXXXXXXX
--------------------------
Hope this helps ..
Thanks..
LBS
ASKER
I'm sorry .. The other part which doesnt work in that config is the ROUTER-ACCESS. I got this one confused with my other ASA which DOES work and comes from a different IP.
Again another reason about my speculation...
Anytime I try to auth using the radius server for router(ASA) access the debug on the ASA shows the following..
AAA_BindServer: No server chosen
Maximum number of tries (3) exceeded
ERROR: No error
Sorry for the confusion..
LBS
Again another reason about my speculation...
Anytime I try to auth using the radius server for router(ASA) access the debug on the ASA shows the following..
AAA_BindServer: No server chosen
Maximum number of tries (3) exceeded
ERROR: No error
Sorry for the confusion..
LBS
OK, so based on your config:
You should create a windows group with your "IT" people in it and create a IAS remote access policy with just the VPN default options. The main IAS remote access policy should only have "NAS-port matches "Virtual (VPN)"" at this time. On the main page of your IAS remote access policy click "add" to add a policy condition and select windows groups and choose the windows group that has your "IT" people as a condition of IAS. Then in
Then in that IAS policy:
click "edit profile"
click the "advanced tab"
remove all existing attributes
click "add" add a new attribute
double click "class"
type "OU=IT" (without the quotes)
repeate but for "operations_USERS"
I aggree that your ASA config looks correct.
Darkstriker69
You should create a windows group with your "IT" people in it and create a IAS remote access policy with just the VPN default options. The main IAS remote access policy should only have "NAS-port matches "Virtual (VPN)"" at this time. On the main page of your IAS remote access policy click "add" to add a policy condition and select windows groups and choose the windows group that has your "IT" people as a condition of IAS. Then in
Then in that IAS policy:
click "edit profile"
click the "advanced tab"
remove all existing attributes
click "add" add a new attribute
double click "class"
type "OU=IT" (without the quotes)
repeate but for "operations_USERS"
I aggree that your ASA config looks correct.
Darkstriker69
ASKER
What about connection policies? Is any of that necessary?
I'm still comming up dry here.. No luck at all ..
I'm still comming up dry here.. No luck at all ..
I am not familiar with "connection policies". Maybe I missunderstand what you are trying to do.
Are you trying do the following:
Have 2 windows groups one with all your IT people and one with all your operations_USERS people
When the IT people log in to your Cisco VPN you want them to have access to 10.10.1.5
when the operations_USERS log in to your Cisco VPN you want them NOT to have access to 10.10.1.5
If there is more to your scenario let me know.
Otherwise the concept would be that
- The firewall sends a radius request to IAS
- IAS returns the group policy the ASA should use based on the user that logs in and what windows group he/she is in
- The pix uses certian access lists based on what group policy is returned by IAS
- The user has or does not have appropriate access
Please Let me know if I am confused?
Are you trying do the following:
Have 2 windows groups one with all your IT people and one with all your operations_USERS people
When the IT people log in to your Cisco VPN you want them to have access to 10.10.1.5
when the operations_USERS log in to your Cisco VPN you want them NOT to have access to 10.10.1.5
If there is more to your scenario let me know.
Otherwise the concept would be that
- The firewall sends a radius request to IAS
- IAS returns the group policy the ASA should use based on the user that logs in and what windows group he/she is in
- The pix uses certian access lists based on what group policy is returned by IAS
- The user has or does not have appropriate access
Please Let me know if I am confused?
ASKER
Well for the sake of simplicity lets eliminate the complicated parts right now since I've solved this on my own. But the problem I originally had stems from the issues I'm having now..
What I'm trying to do is:
Have 2 windows groups one with all IT people and one with all operations_USERS. When the IT people log in to the VPN they get their ACL defined by Cisco av-pair attributes. When the operations_USERS log in to the VPN they get their ACL defined by Cisco av-pair attributes.
Now I have gotten the latter of this 2 part scenario to work(ACL pushed to VPN group). But I can only have 1 group for it to work..
What I'm trying to do is:
Have 2 windows groups one with all IT people and one with all operations_USERS. When the IT people log in to the VPN they get their ACL defined by Cisco av-pair attributes. When the operations_USERS log in to the VPN they get their ACL defined by Cisco av-pair attributes.
Now I have gotten the latter of this 2 part scenario to work(ACL pushed to VPN group). But I can only have 1 group for it to work..
I see I was not even close.
So lets try again.
You are using IAS to push access-list settings directly to the clients via avpairs?
What limits you to having just one group?
specifically is IAS limiting you, or the ASA or something else?
Again correct my if I am off base.
So lets try again.
You are using IAS to push access-list settings directly to the clients via avpairs?
What limits you to having just one group?
specifically is IAS limiting you, or the ASA or something else?
Again correct my if I am off base.
ASKER
So based on your question I can have just 1 VPN group and at the Radius server have an entry for 1 client and use the remote access policies to determine access and the cisco av-pair attributes I'm wanting to push?
Is that what you are getting at?
Is that what you are getting at?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No.. It was just belief that I had to create a new radius client in IAS for each VPN group :-) .. Lets say inexperience..
Again I'm trying to do what you recommended here, but with 2 seperate radius clients & groups; when the right way might be 1 radius client and vpn group on the ASA and split them at the radius ..
I dont have any limits, just misinformed I think..
But your last suggestion might be the solution.. I will try this scenario a bit later and post back the results..
Thanks.. I'd love to give you the points for all your efforts!
LBS
Again I'm trying to do what you recommended here, but with 2 seperate radius clients & groups; when the right way might be 1 radius client and vpn group on the ASA and split them at the radius ..
I dont have any limits, just misinformed I think..
But your last suggestion might be the solution.. I will try this scenario a bit later and post back the results..
Thanks.. I'd love to give you the points for all your efforts!
LBS
ASKER
Darkstriker! You have done it!
This was due to my in experience with IAS and I'm guessing my inability to be clear of what I was doing.
You were right buddy.. Just 1 group and use the OU=vpn group .. My ACLs work and I'm a happy man! .. I created the problem by having 2 clients and using 2 VPN groups when its obviously not necessary.. at least for me..
Thanks!
LBS
This was due to my in experience with IAS and I'm guessing my inability to be clear of what I was doing.
You were right buddy.. Just 1 group and use the OU=vpn group .. My ACLs work and I'm a happy man! .. I created the problem by having 2 clients and using 2 VPN groups when its obviously not necessary.. at least for me..
Thanks!
LBS
- In IAS create a new remote access VPN policy using the wizard. Change the authentication type to PAP as usual.
- Add you windows goup that contains your remote users as a Policy condition
- Go to the advanced tab and remove any attributes in the "attributes payne"
- add an new attribute, select "class" and click "add"
- enter the attribute as a string and for the string the entry will be OU=ciscoVPNgoupname ie OU=VPNgoup1
- Then add a second remote access policy, add the windows group of that contains the other remote users and add a class that contains the goupname of the second cisco VPN group
This tells IAS to return the vpn group to the firewall
Hope this helps
Darkstriker69