[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

prevente radius user to connect to Cisco anyconnect profile

Posted on 2011-10-12
8
Medium Priority
?
826 Views
Last Modified: 2012-05-12
hi..

how can i prevente radius authendicated users to connect to Cisco anyconnect connection profile, i have 2 Profiles can i restrict access to those groups, with AD groups ?
0
Comment
Question by:kimhed
  • 4
  • 4
8 Comments
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36959960
Yes it is much easier imho to do this with ldap instead.  With ldap you can set up an AD group and put the users in that group.  Then you can set up your anyconnect profile to authenticate the user against the AD server, via LDAP.  In addition it checks to see if the users is a member of the group you created, and if it is it will assign the appropriate policy after authentication.

Here is a link you can look at:

http://www.block.net.au/blogs/james/pages/active-directory-vpn-authentication-with-a-cisco-asa-5510-series-appliance.aspx

Also, here is another way of doing it passed on the Dial in allowed field:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

Hope this helps.
0
 

Author Comment

by:kimhed
ID: 36960542
hi.

maybe i wasn't clear enough my fault .-)), i want to create 2 AD groups, if you are member of one group, you can connect to one off the Connection profiles but not the other.

0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36962066
Well that is what you can do.  So you do not set a default policy on the tunnel group in the ASA.  You have a policy configured.  When the AD lookup occurs if they are in 1 specific AD group then you map it to that policy, if they are in a different AD group you do not map to that policy and therefore they don't match a policy in the ASA and they don't get in.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:kimhed
ID: 36962771
they dont need to be auto mapped to a connection profile, it is ok, if they can see both profiles when the logon, but if they choose lets say "VPNprofileAdmin" insted of "VPNprofileClient", they get an denied or somthing, just want the same thing as you can do with local users (bind them to a specific connection profile).
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36963273
That is how I bind them to a specific profile.  If they are a member of AD group A I bind them to VPNProfileAdmin  - they have no choices I automatically bind them.  If they are a member of AD group B I bind them to VPNProfileClient - again they have no choices.  This prevents them from selecting Admin instead of Client.
0
 

Author Comment

by:kimhed
ID: 36966722
ok, can you specify how you do it, im not sure i fully understand it, do you use DAP ??
0
 
LVL 25

Accepted Solution

by:
Ken Boone earned 2000 total points
ID: 36969278
So its like this:

First we set up a VPN group called Admin-VPN in AD and make the admin vpn users a member of that group in AD.  Then we create an ldap attribute map which says IF the user is a member of Admin-VPN then we will map that user to the vpn profile of VPNProfileAdmin

--------
ldap attribute-map group_policy_map
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=Admin-VPN,OU=Groups,DC=companyname,DC=com VPNProfileAdmin
---------

Then we set up our ldap stuff which will define our ldap server as well as an admin account that will be used when making the ldap queries.  We also attach the ldap attribute map we defined above:
----------------
aaa-server LDAP-Server protocol ldap
aaa-server LDAP-Server (inside) host 1.1.1.1
 ldap-base-dn dc=companyname, dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password ******
 ldap-login-dn CN=Administrator,CN=Users,DC=companyname,DC=com
 server-type microsoft
 ldap-attribute-map group_policy_map
------------------------


Them we build the VPNProfileAdmin:

--------------------

group-policy VPNprofileAdmin internal
group-policy VPNprofileAdmin attributes
 dns-server value 1.1.1.1 1.1.1.2
 vpn-tunnel-protocol svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain value companyname.com
 address-pools value SSLVPN-Pool
 webvpn
  svc keep-installer installed
  svc ask enable default svc

------------------------

Then we setup the tunnel-group:

-----------------------

tunnel-group Customer-SSLVPN type remote-access
tunnel-group Customer-SSLVPN general-attributes
 authentication-server-group LDAP-Server
tunnel-group Customer-SSLVPN webvpn-attributes
 group-alias Customer-SSLVPN enable

---------------------

The key thing is that you do not specify a default group policy on the tunnel group.  So with what I just showed you the user must be in the AD group in order to connect to the vpn with the policy of VPNprofileAdmin.  If the user is not in the appropriate AD group, there will be no matching policy to map them to and there is no default policy so it will fail the user.

You can also set up another AD group which would be for client vpn users, you can add another entry in the ldap attribute map to map those users to the VPNprofileClient group policy that you can set up.

Now a user has to be in either one of the other of those groups to get access, and they will only be able to use the profile that is associated with that group.

Hope that helps.
0
 

Author Closing Comment

by:kimhed
ID: 36979140
its working, thx
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question