prlit
asked on
ASA5510 Using AD Authentication
So we've set up our new ASA5510 with LDAP/AD authentication and it's working great. We're using the SSL Any Connect client. The only thing is it seems that every single AD user now has a VPN account which is a little scary. I'm not sure if I need an add-on to my AD for Cisco devices or what but I'm not sure how to make the ASA and my LDAP seemless. I don't want every AD user thinking they can suddenly jump on from home whenever they want. Where do I define security for the VPN within AD?
ASKER
Yea, should have mentioned that we're using Server 2008. Sorry!
It is still a doable thing. In 2008 IAS was replaced with NPS (Network Policy Server) - it still offers RADIUS server functionality. See http://technet.microsoft.com/en-us/network/bb629414.aspx
"Network Policy Server
Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.
As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP)."
The page has links to the documentation you need.
Good Luck
"Network Policy Server
Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.
As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP)."
The page has links to the documentation you need.
Good Luck
You can use certificates.
Then you know only PC's with the right certificate can do VPN.
Then you know only PC's with the right certificate can do VPN.
ASKER
Totally got it working with NPS! However one small issue - I can basically allow/deny and nothing else. I don't know how to enforce the VPN group policy based on their AD containers.
Are you trying to do the health checking for Network Access Protection? Not sure I understand what it is you can't do. I believe you have to run an agent of the users PC for NAP. Take a look at http://www.microsoft.com/presspass/events/ssc/docs/CiscoMSNACWP.pdf for an overview.
Good Luck
Good Luck
ASKER
No I'm using the NPS to either grant or deny VPN access.
I guess I don't understand what you are trying to do. You said " I can basically allow/deny and nothing else. I don't know how to enforce the VPN group policy based on their AD containers."
What group policy settings are you trying to enforce?
When the user logs in through the VPN it is the ASA that is interfacing with NPS to decide whether or not to allow access and it sounds like you have that working.
Thus, once the user is logged in to the VPN he/she is not necessarily logged into the domain. (1) The remote workstation must be part of the domain, (2) the user must be logged into the workstation using domain credentials, and (3) you will need to force a gpupdate command to run in order to refresh group policy on the remote workstation.
In order to do that you need to run an agent on the remote workstation that interfaces with the Network Access Protection piece referenced above.
What group policy settings are you trying to enforce?
When the user logs in through the VPN it is the ASA that is interfacing with NPS to decide whether or not to allow access and it sounds like you have that working.
Thus, once the user is logged in to the VPN he/she is not necessarily logged into the domain. (1) The remote workstation must be part of the domain, (2) the user must be logged into the workstation using domain credentials, and (3) you will need to force a gpupdate command to run in order to refresh group policy on the remote workstation.
In order to do that you need to run an agent on the remote workstation that interfaces with the Network Access Protection piece referenced above.
ASKER
I'm sorry maybe I can explain it better.
UserA needs to VPN in and see Servers 1, 2, and 3
UserB need to only see Server 2 and should not be allowed to see server 1 or 3.
It's basically the split_tunnel list. Right now with the IPSEC client - the .pcf file determines which ASA Group Policy to use. With the NPS - the user can see the entire network.
UserA needs to VPN in and see Servers 1, 2, and 3
UserB need to only see Server 2 and should not be allowed to see server 1 or 3.
It's basically the split_tunnel list. Right now with the IPSEC client - the .pcf file determines which ASA Group Policy to use. With the NPS - the user can see the entire network.
Hmmm, take a look at http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/ and see if that is what you have in mind.
"VPN setup shows how to use IAS with VPN concentrator, ASA, or PIX. Basically, every vpn user connects with the same PCF file and enters into a group. When their username gets authenticated with ActiveDirectory, AD returns a group name to the CVPN/ASA/PIX and the pix puts them in that group."
Should be easily adaptable to NPS RADIUS functions.
"VPN setup shows how to use IAS with VPN concentrator, ASA, or PIX. Basically, every vpn user connects with the same PCF file and enters into a group. When their username gets authenticated with ActiveDirectory, AD returns a group name to the CVPN/ASA/PIX and the pix puts them in that group."
Should be easily adaptable to NPS RADIUS functions.
ASKER
I'm getting a little confused here:
Login to Domain Controller
- go to: Active Director Users and Computers
- OU: austin.mgam > Radius
- add group
- “g_Radius_VPN
- OU: austin.mgam > Vendor
- add user
- User name:
- next
- password: [user password]
I assummed the austin.mgam was the name of his AD domain. He created OUs for Radius and Vendor, then groups/users within those containers.
ASKER
So how do I specify IP's that can/cannot be accessed in those containers?
You would create seperate AD groups for the users that you wish to assign to certain ranges. Created associated groups and policies on the ASA, then associate the AD groups to the ASA groups based on the users AD Group and NPS Dial in policy
ASKER
Yea, I guess that what I'm looking to do but not sure how.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm sorry - I feel so bad saying this but I can't even find: "configuration > policy mgmt > traffic mgmt " on my ASA.
I'm shocked after spending so much time looking for instructions that this isn't a more common scenario.
I'm shocked after spending so much time looking for instructions that this isn't a more common scenario.
ASKER
I must say - that second link - is exactly how I got it working. I just don't know how to apply an ACL or a split_tunnel list to each policy.
I believe that assumes you are using ASDM to configure the ASA to find the policy management features.
ASKER
Yes I am. Thanks.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
Good Luck