Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 731
  • Last Modified:

How to use Remote Access Permissions in AD to control Cisco SSL VPN access?

I've successfully configured my ASA 5510 to use AD for authentication of my VPN users.  I'd like to tighten access down and use Remote Access Permissions in AD to control who can use the resource.  Can someone point me in the right direction?
0
jwixted
Asked:
jwixted
  • 6
  • 5
  • 2
2 Solutions
 
DTAHARLEVCommented:
User's properties, the dial-in tab.
0
 
jwixtedAuthor Commented:
Right, I know how to SET the rights, how do I get the ASA to evaluate them...
0
 
DTAHARLEVCommented:
oh, sorry... how do you have ISA configured? Is it set to pull a certain group with permissions, or just to authenticate the password against the domain controllers? Can you send a quick show run of the relevant part?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
jwixtedAuthor Commented:
Currently, the ASA (not ISA) autenticates the users against AD - if they have an enabled AD user account, they get access, reguardless of the values in the Remote Access Permissions settings in AD.  Relevant (I think) section of the config (names & IPs modified):

aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.17.222.219
 nt-auth-domain-controller DC2
aaa-server ActiveDirectory (inside) host 10.17.222.211
 nt-auth-domain-controller DC1
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.17.222.219
 ldap-base-dn dc=mydomain.com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=vpnauth,OU=No Password Policy,DC=mydomain,DC=com
 server-type microsoft
 ldap-attribute-map ALLOWVPNACCESS
0
 
DTAHARLEVCommented:
Simply disable the accounts at the end of the day

just kidding. It's msNPAllowDailin.
0
 
jwixtedAuthor Commented:
:)  I'd disable all the users, all the time, if I thought I'd get away with it!

How would I use msNPAllowDialin?
0
 
DTAHARLEVCommented:
 map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
0
 
jwixtedAuthor Commented:
So, just replace my:

ldap-attribute-map ALLOWVPNACCESS

with

map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS

Or do I need to create an ldap-attribute-map, and drop those commands into that?
0
 
DTAHARLEVCommented:
got me there, not sure about the exact syntax. i believe you can just put it under what you have, the existing map.
0
 
ibiadmin6Commented:
We use AD groups to Auth to Cisco ASA's. I did not do the Cisco end, but basically you create an AD group and a Cisco ASA group. You then Map the Cisco group to the AD group. Then you apply your cisco rules and rights to the Cisco group whose members are AD group members.

Easier to audit this way, plus you can create multiple groups in AD and on Cisco and map them for different rules and rights while on a VPN connection.

By the way we created new AD security groups specific for the mapping to the Cisco groups. You can mail enable then also to send notifications such as maint. Times etc.
0
 
ibiadmin6Commented:
Cisco has a .pdf with step by step procedures that we used for the ASA's.
0
 
jwixtedAuthor Commented:
Sorry, my bad.  I'll close the question and split the points.
0
 
jwixtedAuthor Commented:
Applying your suggestions worked, but required a fair amount of additional research to implement.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now