Solved

Limiting Cisco ASA access based on RSA Groups

Posted on 2013-01-21
9
874 Views
Last Modified: 2014-10-21
I need to limit access to Cisco ASA Profiles based on RSA Groups. Cant figure out how to specify the groups on the ASA or pass them from the RSA SecurID. Anyone have experience with this?
0
Comment
Question by:hopemonger
9 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38805077
Outside of RSA, If I was doing this against AD, I would use LDAP attribute mapping

aaa-server user-LDAP (insie) host x.x.x.x
ldap-attribute-map ldap-map-1
 
ldap attribute-map ldap-map-1
  map-name  ********** IETF-Radius-Class
  map-value ********** "cn=xxx" Group-xxx
  map-value ********** "cn=yyy" Group-yyy
  
group-policy Group-xxx internal
group-policy Group-xxx attributes
address-pools value Group-xxx-pool

group-policy Group-yyy internal
group-policy Group-yyy attributes
address-pools value Group-yyy-pool

Open in new window

0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38805187
Hi,

ArneLovius is correct, you can LDAP or Radius to pass attributes back to the ASA to select group policies etc. Here is a cisco technote:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Depending on what you are trying to do, the other option is to use Dynamic access policies with a single configuration file and group Policy.

Here you, for example, you can query AD group membership via LDAP and then specify an ACL that constrains what resources that user can access when they connect?

It really depends what you are trying to do.

Regards,


RobMobility.
0
 
LVL 61

Expert Comment

by:btan
ID: 38805513
Thought you may be interested using asa-sdi protocol supported in cisco asa...

http://rivald.blogspot.sg/2009/09/cisco-asa-vpn-and-rsa-secureid.html

If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server: Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+.

The RSA SecureID servers are also known as SDI servers. The ASA supports SDI Version 5.0, 6.0, and 7.0. SDI uses the concepts of an SDI primary and SDI replica servers.

The ASA contacts the first server in the group. If that server is unavailable, the ASA contacts the next server in the group, if configured. If all servers in the group are unavailable, the ASA tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:hopemonger
ID: 38805923
We need to figure out how to pass more than one Group from RADIUS server (RSA) to the ASA so that they can login to more than one group.
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 250 total points
ID: 38807242
The ASA can only match a single internal group with LDAP or RADIUS Authentication.

This does mean that you have to create specific AD (or whatever backend you use) groups just for remote access, and because the group matching is done from the groups the user is a member of, (not checking membership of a group) you can't use nested groups.

To match internal groups with RADIUS you would use the "class" attribute.

You could use external groups where the RADIUS server sends all of the required parameters to the ASA

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_groups.html#wp1133706
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 38808213
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now