Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Limiting Cisco ASA access based on RSA Groups

Posted on 2013-01-21
9
Medium Priority
?
1,137 Views
Last Modified: 2014-10-21
I need to limit access to Cisco ASA Profiles based on RSA Groups. Cant figure out how to specify the groups on the ASA or pass them from the RSA SecurID. Anyone have experience with this?
0
Comment
Question by:hopemonger
6 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38805077
Outside of RSA, If I was doing this against AD, I would use LDAP attribute mapping

aaa-server user-LDAP (insie) host x.x.x.x
ldap-attribute-map ldap-map-1
 
ldap attribute-map ldap-map-1
  map-name  ********** IETF-Radius-Class
  map-value ********** "cn=xxx" Group-xxx
  map-value ********** "cn=yyy" Group-yyy
  
group-policy Group-xxx internal
group-policy Group-xxx attributes
address-pools value Group-xxx-pool

group-policy Group-yyy internal
group-policy Group-yyy attributes
address-pools value Group-yyy-pool

Open in new window

0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38805187
Hi,

ArneLovius is correct, you can LDAP or Radius to pass attributes back to the ASA to select group policies etc. Here is a cisco technote:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Depending on what you are trying to do, the other option is to use Dynamic access policies with a single configuration file and group Policy.

Here you, for example, you can query AD group membership via LDAP and then specify an ACL that constrains what resources that user can access when they connect?

It really depends what you are trying to do.

Regards,


RobMobility.
0
 
LVL 65

Expert Comment

by:btan
ID: 38805513
Thought you may be interested using asa-sdi protocol supported in cisco asa...

http://rivald.blogspot.sg/2009/09/cisco-asa-vpn-and-rsa-secureid.html

If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server: Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+.

The RSA SecureID servers are also known as SDI servers. The ASA supports SDI Version 5.0, 6.0, and 7.0. SDI uses the concepts of an SDI primary and SDI replica servers.

The ASA contacts the first server in the group. If that server is unavailable, the ASA contacts the next server in the group, if configured. If all servers in the group are unavailable, the ASA tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:hopemonger
ID: 38805923
We need to figure out how to pass more than one Group from RADIUS server (RSA) to the ASA so that they can login to more than one group.
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 1000 total points
ID: 38807242
The ASA can only match a single internal group with LDAP or RADIUS Authentication.

This does mean that you have to create specific AD (or whatever backend you use) groups just for remote access, and because the group matching is done from the groups the user is a member of, (not checking membership of a group) you can't use nested groups.

To match internal groups with RADIUS you would use the "class" attribute.

You could use external groups where the RADIUS server sends all of the required parameters to the ASA

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_groups.html#wp1133706
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 38808213
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question