Solved

How to use Remote Access Permissions in AD to control Cisco SSL VPN access?

Posted on 2009-05-10
14
717 Views
Last Modified: 2012-06-27
I've successfully configured my ASA 5510 to use AD for authentication of my VPN users.  I'd like to tighten access down and use Remote Access Permissions in AD to control who can use the resource.  Can someone point me in the right direction?
0
Comment
Question by:jwixted
  • 6
  • 5
  • 2
14 Comments
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350667
User's properties, the dial-in tab.
0
 

Author Comment

by:jwixted
ID: 24350670
Right, I know how to SET the rights, how do I get the ASA to evaluate them...
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350675
oh, sorry... how do you have ISA configured? Is it set to pull a certain group with permissions, or just to authenticate the password against the domain controllers? Can you send a quick show run of the relevant part?
0
 

Author Comment

by:jwixted
ID: 24350711
Currently, the ASA (not ISA) autenticates the users against AD - if they have an enabled AD user account, they get access, reguardless of the values in the Remote Access Permissions settings in AD.  Relevant (I think) section of the config (names & IPs modified):

aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.17.222.219
 nt-auth-domain-controller DC2
aaa-server ActiveDirectory (inside) host 10.17.222.211
 nt-auth-domain-controller DC1
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.17.222.219
 ldap-base-dn dc=mydomain.com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=vpnauth,OU=No Password Policy,DC=mydomain,DC=com
 server-type microsoft
 ldap-attribute-map ALLOWVPNACCESS
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350726
Simply disable the accounts at the end of the day

just kidding. It's msNPAllowDailin.
0
 

Author Comment

by:jwixted
ID: 24350746
:)  I'd disable all the users, all the time, if I thought I'd get away with it!

How would I use msNPAllowDialin?
0
 
LVL 5

Accepted Solution

by:
DTAHARLEV earned 125 total points
ID: 24350773
 map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
0
 

Author Comment

by:jwixted
ID: 24350805
So, just replace my:

ldap-attribute-map ALLOWVPNACCESS

with

map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS

Or do I need to create an ldap-attribute-map, and drop those commands into that?
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350813
got me there, not sure about the exact syntax. i believe you can just put it under what you have, the existing map.
0
 
LVL 2

Assisted Solution

by:ibiadmin6
ibiadmin6 earned 125 total points
ID: 24351012
We use AD groups to Auth to Cisco ASA's. I did not do the Cisco end, but basically you create an AD group and a Cisco ASA group. You then Map the Cisco group to the AD group. Then you apply your cisco rules and rights to the Cisco group whose members are AD group members.

Easier to audit this way, plus you can create multiple groups in AD and on Cisco and map them for different rules and rights while on a VPN connection.

By the way we created new AD security groups specific for the mapping to the Cisco groups. You can mail enable then also to send notifications such as maint. Times etc.
0
 
LVL 2

Expert Comment

by:ibiadmin6
ID: 24351015
Cisco has a .pdf with step by step procedures that we used for the ASA's.
0
 

Author Comment

by:jwixted
ID: 25164870
Sorry, my bad.  I'll close the question and split the points.
0
 

Author Closing Comment

by:jwixted
ID: 31579995
Applying your suggestions worked, but required a fair amount of additional research to implement.
0

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now