Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Limiting Cisco ASA access based on RSA Groups

Posted on 2013-01-21
9
Medium Priority
?
1,090 Views
Last Modified: 2014-10-21
I need to limit access to Cisco ASA Profiles based on RSA Groups. Cant figure out how to specify the groups on the ASA or pass them from the RSA SecurID. Anyone have experience with this?
0
Comment
Question by:hopemonger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38805077
Outside of RSA, If I was doing this against AD, I would use LDAP attribute mapping

aaa-server user-LDAP (insie) host x.x.x.x
ldap-attribute-map ldap-map-1
 
ldap attribute-map ldap-map-1
  map-name  ********** IETF-Radius-Class
  map-value ********** "cn=xxx" Group-xxx
  map-value ********** "cn=yyy" Group-yyy
  
group-policy Group-xxx internal
group-policy Group-xxx attributes
address-pools value Group-xxx-pool

group-policy Group-yyy internal
group-policy Group-yyy attributes
address-pools value Group-yyy-pool

Open in new window

0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38805187
Hi,

ArneLovius is correct, you can LDAP or Radius to pass attributes back to the ASA to select group policies etc. Here is a cisco technote:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Depending on what you are trying to do, the other option is to use Dynamic access policies with a single configuration file and group Policy.

Here you, for example, you can query AD group membership via LDAP and then specify an ACL that constrains what resources that user can access when they connect?

It really depends what you are trying to do.

Regards,


RobMobility.
0
 
LVL 64

Expert Comment

by:btan
ID: 38805513
Thought you may be interested using asa-sdi protocol supported in cisco asa...

http://rivald.blogspot.sg/2009/09/cisco-asa-vpn-and-rsa-secureid.html

If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server: Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+.

The RSA SecureID servers are also known as SDI servers. The ASA supports SDI Version 5.0, 6.0, and 7.0. SDI uses the concepts of an SDI primary and SDI replica servers.

The ASA contacts the first server in the group. If that server is unavailable, the ASA contacts the next server in the group, if configured. If all servers in the group are unavailable, the ASA tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 

Author Comment

by:hopemonger
ID: 38805923
We need to figure out how to pass more than one Group from RADIUS server (RSA) to the ASA so that they can login to more than one group.
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 1000 total points
ID: 38807242
The ASA can only match a single internal group with LDAP or RADIUS Authentication.

This does mean that you have to create specific AD (or whatever backend you use) groups just for remote access, and because the group matching is done from the groups the user is a member of, (not checking membership of a group) you can't use nested groups.

To match internal groups with RADIUS you would use the "class" attribute.

You could use external groups where the RADIUS server sends all of the required parameters to the ASA

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_groups.html#wp1133706
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1000 total points
ID: 38808213
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
How does someone stay on the right and legal side of the hacking world?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question