Solved

Limiting Cisco ASA access based on RSA Groups

Posted on 2013-01-21
9
971 Views
Last Modified: 2014-10-21
I need to limit access to Cisco ASA Profiles based on RSA Groups. Cant figure out how to specify the groups on the ASA or pass them from the RSA SecurID. Anyone have experience with this?
0
Comment
Question by:hopemonger
9 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38805077
Outside of RSA, If I was doing this against AD, I would use LDAP attribute mapping

aaa-server user-LDAP (insie) host x.x.x.x
ldap-attribute-map ldap-map-1
 
ldap attribute-map ldap-map-1
  map-name  ********** IETF-Radius-Class
  map-value ********** "cn=xxx" Group-xxx
  map-value ********** "cn=yyy" Group-yyy
  
group-policy Group-xxx internal
group-policy Group-xxx attributes
address-pools value Group-xxx-pool

group-policy Group-yyy internal
group-policy Group-yyy attributes
address-pools value Group-yyy-pool

Open in new window

0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38805187
Hi,

ArneLovius is correct, you can LDAP or Radius to pass attributes back to the ASA to select group policies etc. Here is a cisco technote:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Depending on what you are trying to do, the other option is to use Dynamic access policies with a single configuration file and group Policy.

Here you, for example, you can query AD group membership via LDAP and then specify an ACL that constrains what resources that user can access when they connect?

It really depends what you are trying to do.

Regards,


RobMobility.
0
 
LVL 63

Expert Comment

by:btan
ID: 38805513
Thought you may be interested using asa-sdi protocol supported in cisco asa...

http://rivald.blogspot.sg/2009/09/cisco-asa-vpn-and-rsa-secureid.html

If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server: Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+.

The RSA SecureID servers are also known as SDI servers. The ASA supports SDI Version 5.0, 6.0, and 7.0. SDI uses the concepts of an SDI primary and SDI replica servers.

The ASA contacts the first server in the group. If that server is unavailable, the ASA contacts the next server in the group, if configured. If all servers in the group are unavailable, the ASA tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:hopemonger
ID: 38805923
We need to figure out how to pass more than one Group from RADIUS server (RSA) to the ASA so that they can login to more than one group.
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 250 total points
ID: 38807242
The ASA can only match a single internal group with LDAP or RADIUS Authentication.

This does mean that you have to create specific AD (or whatever backend you use) groups just for remote access, and because the group matching is done from the groups the user is a member of, (not checking membership of a group) you can't use nested groups.

To match internal groups with RADIUS you would use the "class" attribute.

You could use external groups where the RADIUS server sends all of the required parameters to the ASA

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_groups.html#wp1133706
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 38808213
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question