?
Solved

How to use Remote Access Permissions in AD to control Cisco SSL VPN access?

Posted on 2009-05-10
14
Medium Priority
?
729 Views
Last Modified: 2012-06-27
I've successfully configured my ASA 5510 to use AD for authentication of my VPN users.  I'd like to tighten access down and use Remote Access Permissions in AD to control who can use the resource.  Can someone point me in the right direction?
0
Comment
Question by:jwixted
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
14 Comments
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350667
User's properties, the dial-in tab.
0
 

Author Comment

by:jwixted
ID: 24350670
Right, I know how to SET the rights, how do I get the ASA to evaluate them...
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350675
oh, sorry... how do you have ISA configured? Is it set to pull a certain group with permissions, or just to authenticate the password against the domain controllers? Can you send a quick show run of the relevant part?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:jwixted
ID: 24350711
Currently, the ASA (not ISA) autenticates the users against AD - if they have an enabled AD user account, they get access, reguardless of the values in the Remote Access Permissions settings in AD.  Relevant (I think) section of the config (names & IPs modified):

aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.17.222.219
 nt-auth-domain-controller DC2
aaa-server ActiveDirectory (inside) host 10.17.222.211
 nt-auth-domain-controller DC1
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.17.222.219
 ldap-base-dn dc=mydomain.com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=vpnauth,OU=No Password Policy,DC=mydomain,DC=com
 server-type microsoft
 ldap-attribute-map ALLOWVPNACCESS
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350726
Simply disable the accounts at the end of the day

just kidding. It's msNPAllowDailin.
0
 

Author Comment

by:jwixted
ID: 24350746
:)  I'd disable all the users, all the time, if I thought I'd get away with it!

How would I use msNPAllowDialin?
0
 
LVL 5

Accepted Solution

by:
DTAHARLEV earned 375 total points
ID: 24350773
 map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
0
 

Author Comment

by:jwixted
ID: 24350805
So, just replace my:

ldap-attribute-map ALLOWVPNACCESS

with

map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS

Or do I need to create an ldap-attribute-map, and drop those commands into that?
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350813
got me there, not sure about the exact syntax. i believe you can just put it under what you have, the existing map.
0
 
LVL 2

Assisted Solution

by:ibiadmin6
ibiadmin6 earned 375 total points
ID: 24351012
We use AD groups to Auth to Cisco ASA's. I did not do the Cisco end, but basically you create an AD group and a Cisco ASA group. You then Map the Cisco group to the AD group. Then you apply your cisco rules and rights to the Cisco group whose members are AD group members.

Easier to audit this way, plus you can create multiple groups in AD and on Cisco and map them for different rules and rights while on a VPN connection.

By the way we created new AD security groups specific for the mapping to the Cisco groups. You can mail enable then also to send notifications such as maint. Times etc.
0
 
LVL 2

Expert Comment

by:ibiadmin6
ID: 24351015
Cisco has a .pdf with step by step procedures that we used for the ASA's.
0
 

Author Comment

by:jwixted
ID: 25164870
Sorry, my bad.  I'll close the question and split the points.
0
 

Author Closing Comment

by:jwixted
ID: 31579995
Applying your suggestions worked, but required a fair amount of additional research to implement.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Considering cloud tradeoffs and determining the right mix for your organization.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question