Link to home
Start Free TrialLog in
Avatar of chekfu
chekfu

asked on

Restrict authenticated IPSEC VPN user ONLY access to one server

Hi Expert

I will appreciate it very much if you can help me.

I have configured IPSec VPN Remote Access using Cisco ASA 5500 series. It has been working.

Recently, we have granted VPN permission to a vendor. So, I have created an account for the vendor, and then setup Cisco VPN Client with a imported pcf file onto his laptop.

How do I do that? To ONLY allow that vendor account to RDP to one server (e.g. 192.168.1.11).

I am thinking of Dynamic Access Policy (DAP). It may be a solution for me. However, I don't exactly understand how to configure it in step-by-step method.
Avatar of arnold
arnold
Flag of United States of America image

You could also limit his username to only have login rights to one server by way of a group policy.  I.e. user can only connect to servera.
But I think passing only the route to the one server as opposed to the whole segment will do the trick as well.  Unfortunately, can not help you with the specific step-by-step directions for the cisco stuff might be able to point you to the Windows GP.  But that will not limit a wayward/misguided employee of your vendor from trying to gain access to your other systems.

Let me try an see whether I can guide you to where you might be able to resolve this.

Are there multiple VPN policies where this vendor has its own specific VPN policy?
i.e. VPN1 for employees
VPN2 for Consultants if any
VPN3 for this vendor user?
In this case, your VPN3 should only pass that it can access one IP 192.168.1.11/32 or 192.168.1.11 netmask 255.255.255.255.

If you can post the VPN without the shared key, public IP that applies to this vendor, it might be possible for me to suggest something.
 Hi chekfu
      Well, for restricting only one or two, downloadable access lists would be an overhead. I have 2 suggestions.
     1)If you are using an Active-directory authentication method, you can assign a static IP to that user by editing the "Assign static IP" line in Dial-in permiisions tab of the user properties in AD users and computers. Then you can apply a filter ACL for that specific IP
     2) Create a tunnel group and a group policy for that specific user, and apply a filter ACL to that group policy.

Here is a how-to for filter ACL
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Regards
Avatar of chekfu
chekfu

ASKER

Hello arnold, MrHusy! Thanks for your kind help. I really appreciate it.

DAP will be easy, and flexible solution. I just don't understand how it configure and apply in this scenario.
Arnold's link apply to SSL VPN clients. What you need is described in following link

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html#wp1056570
Avatar of chekfu

ASKER

Hello arnold, MrHusy! Really thanks for your kind help again.

I still doubt on how to do it. Please enlighten me.
Please post your current configuration for this user.

I do not have enough information to guide you through a step by step process.

Is the VPN user authentication relyis on AD/IAS?  Is the VPN user a local user on the cisco ASA?  Is the user using a specific IPSEC VPN policy designed solely for this user?  Or this user is using a common IPSEC VPN policy used by all those who connect to your oraganization via a VPN?
Avatar of chekfu

ASKER

Hello arnold

My reply to you:
Q: Is the VPN user authentication relyis on AD/IAS?
A: Yes

Q: Is the VPN user a local user on the cisco ASA?
A: No. It is authenticated through AD/IAS

Q: Is the user using a specific IPSEC VPN policy designed solely for this user?
A: No. It is a same IPSEC VPN policy as other users.

Q: this user is using a common IPSEC VPN policy used by all those who connect to your oraganization via a VPN?
A: Yes
MrHussy's link references:
Configuring Any RADIUS Server for Downloadable Access Lists.
To distinguish this user from others, you might have to add this user to an additional group.  On the IAS server you would need to configure the additional parameters that will be sent as a response to an authentication request.
The  rule is to allow whatever IP the user will have to allow it to access 192.168.1.11.
I believe this should do.
ip:inacl#1=permit tcp any any 192.168.1.11 255.255.255.255
ip:inacl#2=deny tcp any any

Open in new window

Avatar of chekfu

ASKER

Thanks. Downloadable Access List is a solution and apply to my request.

However, can I use downloadable acls and IAS Radius and Acls are applied per user even with a common vpngroup? How to? Really appreciate your help.
Possibly, in IAS you might be able to configure a per user directives. What you should be looking for is in the same place where you can define a per group parameters as a response for successful authentication, whether there is a way to define a per user additional parameters. Unfortunately, do not have access to an IAS at this time to look.
chekfu,
   do you have an IAS installed, configured and converged with ASA ?
Avatar of chekfu

ASKER

Hello all

Currently, user authentication via IPSEC VPN I configured is actually through MS IAS which is running in Windows Server 2003.

I wonder on how to do that to resolve my problem. Let say, I have a domain user account called "vendor1". And I want to apply a Downloaded ACLs to only allow "vendor1" RDP to 192.168.1.11.

I know that there is a way of using one common group policy in ASA and create two Remote Access Policies in IAS. How do I edit Profile in IAS to tell a user account "vendor1" is detected, then apply this downloaded ACLs?

Can help? Thanks in advanced!
ASKER CERTIFIED SOLUTION
Avatar of Alan Huseyin Kayahan
Alan Huseyin Kayahan
Flag of Sweden image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
MrHussy,

The asker wants to only allow the vendor to connect to the one server via RDP.  Your AV-Pair directives are in oposition to that.

In IAS, there does not appear to be an option in the select attribute section a windows-user condition.  As MrHussy points out, there is a windows-groups.

Note however, once the vendor has access to the local system, said user can then log on to anyother system on the network as well.  You would need to use group policies to also deny the vendor user login rights to other systems.

Avatar of chekfu

ASKER

Hello MrHusy

Awesome! It is what I'm looking for. You are so helpful.

However, is there a way I can tell IAS to check user "vendor1" instead of creating a new security group and adding "vendor1" into the group?

Is aaa-user-<username> command works and add it in Cisco-AV-Pair?
 My above input is very easy-to-understand and step-by-step. A very little knowledge about ACLs is enough to modify it according to needs. Here is the ACL that asker needs.

ip:inacl#1=permit tcp any host 192.168.1.11 eq 3389
ip:inacl#100=deny ip any any
MrHussy,

No argument that you provided a step by step.  Was just trying to clarify that while the example would enable the asker to setup/configure what they need, that the av-pair rules would need to be altered to fit the question.
"Is aaa-user-<username> command works and add it in Cisco-AV-Pair"
   I think this (username based) is only compatible with Cisco Secure ACS and some other RADIUS servers like Radiator.  Windows IAS does not have a user attribute, yet assigning access-lists in user by user basis may cause administrative overhead.
Avatar of chekfu

ASKER

Really? You advise the best practice is good to create as a security groups to do control rather than an individual user, right?
 I dont see a negative effect of using security groups instead assigning ACLs individually. Microsoft would have added a "User based" attribute next to "Windows group" if they have seen this a lack of security issue. Also I have previously experienced Windows Group attribute in IAS and never seen a side effect.
  But if it is a must for you to do it user based, you should implement a different RADIUS solution.
Avatar of chekfu

ASKER

awesome, MrHusy
It works!
Do you mind to tell? how to control permit or deny ACL using hostname instead of IP address? Also, how to permit or deny ACL using group instead of one by one?

Let say, for example:
ip:inacl#1=permit tcp any host DC1 eq 3389, does it work?

Should I add one more ACL eq53 for resolving DNS.
If document or article found, I can read it by myself.
Hi chekfu
    PIX does not support querying hostnames so there is no way to assign ACLs to hostnames. But if you like you can use name command to specify names locally.
    You can use object-group  command to create groups.

Regards
Avatar of chekfu

ASKER

Appreciated! =)