?
Solved

Using MS IAS For VPN AAA .. Works .. But Not Controlling Network Access

Posted on 2007-10-17
23
Medium Priority
?
1,897 Views
Last Modified: 2012-06-27
Hello All .. First post.. I have lurked here for years and have found sooo many answers, fixes and assistance for many of my problems and decided its time to give back and get some help at the same time =-)

Moving on..

I have an ASA 5520 working just fine doing AAA with MS IAS. I have 2 groups and I can log in as any user from those groups with no problems. Based on the split-tunnel-acl I have network access also with no problems.

What I'm trying to do though is figure out 2 things.

1. How can I use MS IAS to control network access.

What I would like is to have the GROUP_SplitTunnelAcl say something like:

- permit 10.10.1.0 255.255.255.0

But using MS IAS block access to 10.10.1.5

I understand that you can control the ACL of the VPN group by specifying an ACL in the filter-id.

I found this out here: http://support.microsoft.com/kb/283829 .. But I have still yet been able to make even that work out. I think it has to do with something on the IAS server.

- What i have added / tried already is:
* Service-Type: Login

- I have added Cisco av-pair in the following format and none work:
- ip:inacl#=deny icmp any host 10.10.1.5
- ip:inacl#99=deny icmp any host 10.10.1.5
- ip:access-list GROUP_splitTunnelAcl deny icmp any 10.10.1.5

I have also tried adding these statements in the Vendor specific attribute settings identifying the following

- Vendor-Specific Attribute: Cisco
- Vendor-assigned attribute number: 1
- ip:inacl#=deny icmp any host 10.10.1.5
- ip:inacl#99=deny icmp any host 10.10.1.5
- ip:access-list GROUP_splitTunnelAcl deny icmp any 10.10.1.5
2. How can ASA ACLs be written, applied and used (that might be 3 things as one!)

- Must they be standard format?
------ If so, this means you cant write them to block protocol (ICMP, TCP, WWW)0 access right?
------ If no then how come I cant get my DENY ACLs above the PERMIT statements to work?

What I found funny is that even trying to set a DENY using protocol (ICMP) in the GROUP_SplitTunnelAcl didnt even work and is not respected when connected VIA VPN. This is what makes me believe you cant write STANDARD ACLs to block protocol (ICMP, TCP, WWW) access.

So in short.. this thing works fine, but I'd like to do this per group/user network access control. I'd like to have the split-tunnel-acl say allow access to the 10.10.1.0/24 of a subnet, but for Group A deny IP access for 10.10.1.5 and for Group B deny tcp to 10.10.1.8 eq www.

Hope I'm painting a clear picture, If not.. I will provide was is needed to help you help me :-)

Thanks in advance and I'm really excited to be a person in need here at EE!

LBS
0
Comment
Question by:LBSources
  • 14
  • 6
  • 3
23 Comments
 
LVL 5

Expert Comment

by:Darkstriker69
ID: 20097872
I have done this to utilize different group policies for the ssl web-vpn. Hopefully what I find will help

- In IAS create a new remote access VPN policy using the wizard. Change the authentication type to PAP as usual.
- Add you windows goup that contains your remote users as a Policy condition
- Go to the advanced tab and remove any attributes in the "attributes payne"
- add an new attribute, select "class" and click "add"
- enter the attribute as a string and for the string the entry will be OU=ciscoVPNgoupname ie OU=VPNgoup1
- Then add a second remote access policy, add the windows group of that contains the other remote users and add a class that contains the goupname of the second cisco VPN group

This tells IAS to return the vpn group to the firewall

Hope this helps

Darkstriker69
0
 
LVL 1

Author Comment

by:LBSources
ID: 20098063
While this is useful, it doesn't help me with my problem at all though.. Thanks for the help though!

LBS
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20099958
You can do it right on the ASA
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Split-tunnel ACL's are always standard acls on ASA

Review this link for information on downloadable acls using Radius
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043681
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
LVL 1

Author Comment

by:LBSources
ID: 20099972
I understand its possible on the ASA, but I'm looking to do this using the MS IAS Cisco av-pair or other options.. Great link though..

LBS
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20099985
The second link above should help.
0
 
LVL 1

Author Comment

by:LBSources
ID: 20100102
I see.. But if you see my original post.. I have tried this already.. I'll try again ...
0
 
LVL 1

Author Comment

by:LBSources
ID: 20100496
So I have tried using the Cisco av-pair and the vendor specific attributes.

I entered:

- For Cisco av-pair: ip:inacl#99=deny tcp any any
--- I was able to get to the web page of one of the server allowed access to in the split-tunnel-acl

- For vendor Specific
-- "Specify Network Access Server vendor" = Cisco
- "Yes. It conforms"

---- "Configure attribute"
-- Vendor-assigned attribute number = 1
-- Attribute format" = String
-- "Attribute value" = ip:inacl#99=deny tcp any any

I can still get to the webserver ..

Thanks

LBS
0
 
LVL 1

Author Comment

by:LBSources
ID: 20107735
Is there anything additional I can provide to help you folks help me? Configs? More info?

LBS
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20111388
The ASA config wouldn't hurt. Don't mask out too much information, and you can post it on http://www.ee-stuff.com for better security. Post the link back here.
0
 
LVL 1

Author Comment

by:LBSources
ID: 20113499
I believe I have found the problem ..

Here is the deal..

I am trying to authenticate to IAS for 2 VPN groups. The Radius Client IPs are obviously the same as they are sent out on the same interface.

It seems from the logs that IAS cannot determine the correct connection policy or friendly name

I have set additional parameters for the connection policy (friendly name, windows group, etc) , but it still seems that it cant sort out which to apply to the inbound requests.

Is my thinking right?

I have solved the original problem, by removing one of the VPN groups and applying the ACL as mentioned in my first post. but i was struck off course after looking at the event in IAS a little closer. So I'm wondering how I can overcome this issue.

Upping the points for this issue folks.. I'm stumped.. been working on this for 2 days now.. Any help is appreciated..

Thanks..

LBS
0
 
LVL 5

Expert Comment

by:Darkstriker69
ID: 20114842
What you are describing sounds exactly like what I posted originally. You need to have two IAS policies and to use the class option to return the correct VPN group to the ASA.
0
 
LVL 1

Author Comment

by:LBSources
ID: 20115042
I have done this and the logs still show .. the incorrect policy being applied..

I have 2 different VPN groups in the ASA
Using 2 different users in different groups in AD and added into AD.
I tried using the client-friendly-name also so that an inbound connection coming from vpngroup1 in the asa will use the remote access policy b, but it just seems to ignore it.

I was thinking it was the fact its the same IP .. but I dont know anymore..

Lost..

LBS
0
 
LVL 1

Author Comment

by:LBSources
ID: 20115169
Here are the relevant configs from the ASA..

This is the IT VPN config which works and I can apply an ACL using the Cisco av-pair and it works as the original problem issue.. There is no problem with this config..

------------------------------------
ip local pool IT 10.10.1.5-10.10.1.50 mask 255.255.255.0
aaa-server server_IT_VPN protocol radius
 reactivation-mode depletion deadtime 1
aaa-server server_IT_VPN (operations) host RADSVR
 key XXXXXXXXXXXX

group-policy IT internal
group-policy IT attributes
 dns-server value 10.10.1.2
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value IT_splitTunnelAcl
 default-domain value mydomain.com

tunnel-group IT type ipsec-ra
tunnel-group IT general-attributes
 address-pool IT
 authentication-server-group server_IT_VPN LOCAL
 default-group-policy IT
tunnel-group IT ipsec-attributes
 pre-shared-key *
-----------------------------------

This is the VPN group which wont work. In my VPN client I am using this groups credentials..

----------------------------------
ip local pool operations_USERS 10.10.1.51-10.10.1.100.100 mask 255.255.255.0
aaa-server operations_USERS protocol radius
 reactivation-mode depletion deadtime 1
aaa-server operations_USERS (operations) host RADSVR
 key XXXXXXXXXXXX

group-policy operations_USERS internal
group-policy operations_USERS attributes
 dns-server value 10.10.1.2
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value operations_USERS_splitTunnelAcl
 default-domain value mydomain.com

tunnel-group operations_USERS type ipsec-ra
tunnel-group operations_USERS general-attributes
 address-pool operations_USERS
 authentication-server-group operations_USERS LOCAL
 default-group-policy operations_USERS
tunnel-group operations_USERS ipsec-attributes
 pre-shared-key *
-----------------------------------------

This is just for router authentication using the radius server, this works with no problems. Its how I get into the ASA.

aaa-server EXT_ROUTER-ACCESS protocol radius
 reactivation-mode depletion deadtime 1
aaa-server EXT_ROUTER-ACCESS (operations) host RADSVR
 key XXXXXXXXXXXX
-----------------------------------------

Hope this helps ..

Thanks..

LBS
0
 
LVL 1

Author Comment

by:LBSources
ID: 20115218
I'm sorry .. The other part which doesnt work in that config is the ROUTER-ACCESS. I got this one confused with my other ASA which DOES work and comes from a different IP.

Again another reason about my speculation...

Anytime I try to auth using the radius server for router(ASA) access the debug on the ASA shows the following..

AAA_BindServer: No server chosen
Maximum number of tries (3) exceeded
ERROR: No error

Sorry for the confusion..

LBS
0
 
LVL 5

Expert Comment

by:Darkstriker69
ID: 20115221
OK, so based on your config:

You should create a windows group with your "IT" people in it and create a IAS remote access policy with just the VPN default options. The main IAS remote access policy should only have "NAS-port matches "Virtual (VPN)"" at this time. On the main page of your IAS remote access policy click "add" to add a policy condition and select windows groups and choose the windows group that has your "IT" people as a condition of IAS. Then in

Then in that IAS policy:
click "edit profile"
click the "advanced tab"
remove all existing attributes
click "add" add a new attribute
double click "class"
type "OU=IT" (without the quotes)

repeate but for "operations_USERS"

I aggree that your ASA config looks correct.

Darkstriker69
0
 
LVL 1

Author Comment

by:LBSources
ID: 20115464
What about connection policies? Is any of that necessary?

I'm still comming up dry here.. No luck at all ..
0
 
LVL 5

Expert Comment

by:Darkstriker69
ID: 20115548
I am not familiar with "connection policies". Maybe I missunderstand what you are trying to do.

Are you trying do the following:

Have 2 windows groups one with all your IT people and one with all your operations_USERS people
When the IT people log in to your Cisco VPN you want them to have access to 10.10.1.5
when the operations_USERS log in to your Cisco VPN you want them NOT to have access to 10.10.1.5

If there is more to your scenario let me know.

Otherwise the concept would be that

- The firewall sends a radius request to IAS
- IAS returns the group policy the ASA should use based on  the user that logs in and what windows group he/she is in
- The pix uses certian access lists based on what group policy is returned by IAS
- The user has or does not have appropriate access

Please Let me know if I am confused?
0
 
LVL 1

Author Comment

by:LBSources
ID: 20115858
Well for the sake of simplicity lets eliminate the complicated parts right now since I've solved this on my own. But the problem I originally had stems from the issues I'm having now..

What I'm trying to do is:

Have 2 windows groups one with all IT people and one with all operations_USERS. When the IT people log in to the VPN they get their ACL defined by Cisco av-pair attributes. When the operations_USERS log in to the VPN they get their ACL defined by Cisco av-pair attributes.

Now I have gotten the latter of this 2 part scenario to work(ACL pushed to VPN group). But I can only have 1 group for it to work..
0
 
LVL 5

Expert Comment

by:Darkstriker69
ID: 20115935
I see I was not even close.

So lets try again.

You are using IAS to push access-list settings directly to the clients via avpairs?
What limits you to having just one group?
specifically is IAS limiting you, or the ASA or something else?

Again correct my if I am off base.
0
 
LVL 1

Author Comment

by:LBSources
ID: 20115946
So based on your question I can have just 1 VPN group and at the Radius server have an entry for 1 client and use the remote access policies to determine access and the cisco av-pair attributes I'm wanting to push?

Is that what you are getting at?
0
 
LVL 5

Accepted Solution

by:
Darkstriker69 earned 2000 total points
ID: 20115963
I am truely just trying to understand exactly what your trying to do and where your stuck.

I would say if you have avpairs working from IAS then you could have just 1 vpn-group and create 2 seperate remote access policies with your windows group as a condition on each policy so that when a user from the IT group authenticated, because of the extra condition of the windows group he would get passed any avpair settings on that remote access policy.

Is it IAS that is restricting you?
0
 
LVL 1

Author Comment

by:LBSources
ID: 20115981
No.. It was just belief that I had to create a new radius client in IAS for each VPN group :-) .. Lets say inexperience..

Again I'm trying to do what you recommended here, but with 2 seperate radius clients & groups; when the right way might be 1 radius client and vpn group on the ASA and split them at the radius ..

I dont have any limits, just misinformed I think..

But your last suggestion might be the solution.. I will try this scenario a bit later and post back the results..

Thanks.. I'd love to give you the points for all your efforts!

LBS
0
 
LVL 1

Author Comment

by:LBSources
ID: 20116144
Darkstriker! You have done it!

This was due to my in experience with IAS and I'm guessing my inability to be clear of what I was doing.

You were right buddy.. Just 1 group and use the OU=vpn group .. My ACLs work and I'm a happy man! ..  I created the problem by having 2 clients and using 2 VPN groups when its obviously not necessary.. at least for me..

Thanks!

LBS
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question