[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Limiting Cisco ASA access based on RSA Groups

Posted on 2013-01-21
9
Medium Priority
?
1,201 Views
Last Modified: 2014-10-21
I need to limit access to Cisco ASA Profiles based on RSA Groups. Cant figure out how to specify the groups on the ASA or pass them from the RSA SecurID. Anyone have experience with this?
0
Comment
Question by:hopemonger
6 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38805077
Outside of RSA, If I was doing this against AD, I would use LDAP attribute mapping

aaa-server user-LDAP (insie) host x.x.x.x
ldap-attribute-map ldap-map-1
 
ldap attribute-map ldap-map-1
  map-name  ********** IETF-Radius-Class
  map-value ********** "cn=xxx" Group-xxx
  map-value ********** "cn=yyy" Group-yyy
  
group-policy Group-xxx internal
group-policy Group-xxx attributes
address-pools value Group-xxx-pool

group-policy Group-yyy internal
group-policy Group-yyy attributes
address-pools value Group-yyy-pool

Open in new window

0
 
LVL 26

Expert Comment

by:Rob Knight
ID: 38805187
Hi,

ArneLovius is correct, you can LDAP or Radius to pass attributes back to the ASA to select group policies etc. Here is a cisco technote:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Depending on what you are trying to do, the other option is to use Dynamic access policies with a single configuration file and group Policy.

Here you, for example, you can query AD group membership via LDAP and then specify an ACL that constrains what resources that user can access when they connect?

It really depends what you are trying to do.

Regards,


RobMobility.
0
 
LVL 66

Expert Comment

by:btan
ID: 38805513
Thought you may be interested using asa-sdi protocol supported in cisco asa...

http://rivald.blogspot.sg/2009/09/cisco-asa-vpn-and-rsa-secureid.html

If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server: Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+.

The RSA SecureID servers are also known as SDI servers. The ASA supports SDI Version 5.0, 6.0, and 7.0. SDI uses the concepts of an SDI primary and SDI replica servers.

The ASA contacts the first server in the group. If that server is unavailable, the ASA contacts the next server in the group, if configured. If all servers in the group are unavailable, the ASA tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 

Author Comment

by:hopemonger
ID: 38805923
We need to figure out how to pass more than one Group from RADIUS server (RSA) to the ASA so that they can login to more than one group.
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 1000 total points
ID: 38807242
The ASA can only match a single internal group with LDAP or RADIUS Authentication.

This does mean that you have to create specific AD (or whatever backend you use) groups just for remote access, and because the group matching is done from the groups the user is a member of, (not checking membership of a group) you can't use nested groups.

To match internal groups with RADIUS you would use the "class" attribute.

You could use external groups where the RADIUS server sends all of the required parameters to the ASA

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_groups.html#wp1133706
0
 
LVL 66

Assisted Solution

by:btan
btan earned 1000 total points
ID: 38808213
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Still wondering grappling over to strengthen your password, worry no more. Choose a Strong Passphrase instead though second factor is highly recommended. Read on more on the how-to and tips to enhance your "password" using easier to remember passphr…
ITIL has an elaborate incident management framework. This article serves as a starter for those who'd like to know more or need to suss out the baseline elements in a typical incident response execution plan on the "need to have" and the "good to ha…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

640 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question