<div>
People who do not have access to specific servers / devices should not have passwords to these devices and so cannot get into them.
</div>


Owner

Bill Herde

<div>
Mathew - This sounds like the solution needed. The desire is for this restricted group to not be able to see anything but the selected target. Do you have any links to more information on setting up a windows radius server to send acl lists? Anything else that can shorten the learning curve to implement this?
</div>


<div>
While you can try to limit access by VPN rules, if a user comes in the office (so VPN does not apply) then you need to consider logical server access controls by user and password as well.
</div>


<div>
@john &nbsp;Understood. &nbsp;This group will be for users in a remote call center. &nbsp;When they connect to the VPN, they will have access to a single web server running the application. They will also be restricted from access to any other servers using windows security, but management would like them to not be able to even see the names of or ping any other devices or even attempt connection to any other ports on the web server.
</div>


<div>
This article from sonic wall may help. <a href="https://www.sonicwall.com/en-us/support/knowledge-base/170502802997480" rel="ugc">https://www.sonicwall.com/en-us/support/knowledge-base/170502802997480</a><br />
<br />
I have no experience with the windows radius servers so I can’t offer first hand experience of it.
</div>


<div>
@Pete &nbsp;Thanks. &nbsp;Let me look into how that is done. &nbsp;Simple is good!
</div>


<div>
Hi Bill no worries <a href="https://www.petenetlive.com/KB/Article/0001152" rel="ugc">heres me using DAP to limit network access</a>. <br />
<br />
Pete
</div>


<div>
Just tested it - simples!<br />
<br />
<a href="https://filedb.experts-exchange.com/incoming/2018/03_w13/1291271/DAP-policy.png" target="_blank" title="DAP Policy (218 KB)"><img alt="DAP Policy" class="file-block lazyload" style="max-width: 800px;" data-src="https://filedb.experts-exchange.com/incoming/2018/03_w13/800_1291271/DAP-policy.png" /></a>
</div>


DAP-policy.png

<div>
Ran into a complication. &nbsp; LDAP failed to return any information. &nbsp;I opened ticket with TACS to assist getting this first part right, and after some effort we came to the conclusion that LDAP was returning a code 10 referral. &nbsp;Referral is not supported by the ASA. &nbsp;Cisco tech just emailed me that we may be able to use radius attribute ID. &nbsp;I will give it another shot a little later, I have a telephone issue to fix first.
</div>


<div>
Waiting for phone tech to appear. Did a quick test of the policy using radius attribute id 4242 testing for membership in the AD group, and it returned a status on 1 = continue. &nbsp;Looks good so far.
</div>


<div>
Fires are out so I can get back to this.<br />
Not sure what I am doing wrong here. The DAP screen sets up as in your screenshot above, but using radius 4242 to test for group membership. &nbsp;The 'TEST Dynamic Access Policies' button runs the test and returns the following.<br />
<br />
The DAP policy contains the following attributes for user: <br />
--------------------------<wbr />----------<wbr />----------<wbr />----------<wbr />----------<wbr />--------<br />
1: tunnel-protocol = svc<br />
2: svc ask = ask: no, dflt: svc<br />
3: action = continue<br />
4: user-message = Connecting to EDMS Dashboard<br />
<br />
But there does not seem to be a place to tie the result to the ACL created. &nbsp;When connecting with anyconnect as the test user, I still get the same full access as any authorized &nbsp;VPN user.<br />
<br />
Using CLI (which I am by NO means adept at) I look for the restricted &nbsp;ACL to show up on the user session, but it does not look to be applied.
</div>


<div>
I had Cisco on the phone just now, and the DAP will be the correct solution. &nbsp;What is lacking now is how to get the radius server to respond with the correct group name. &nbsp;Workin on that, If Windows Radius configuration is in your wheel house please respond.
</div>


<div>
Still can’t make English out of this…<br />
<br />
Since I could find no means in windows NPS to define attribute 146, I am trying to make it meet condition testing for attribute ID 25, which I can set per user group in AD. &nbsp;.<br />
<br />
This is the current test for in DAP.<br />
<br />
<br />
------------------------<br />
aaa.radius.4121 = &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CallCenterVPN<br />
<br />
Selected DAP records<br />
--------------------<br />
Call_Center_VPN<br />
<br />
ACLs to aggregate for DAP-ip-user-<br />
--------------------------<wbr />------<br />
priority 1, access-list CallCenterVPN<br />
Using existing access-list: CallCenterVPN<br />
<br />
The DAP policy contains the following attributes for user: <br />
--------------------------<wbr />----------<wbr />----------<wbr />----------<wbr />----------<wbr />--------<br />
1: tunnel-protocol = svc<br />
2: url-entry = enable<br />
3: file-entry = disable<br />
4: file-browsing = disable<br />
5: svc ask = ask: no, dflt: svc<br />
6: action = continue<br />
7: user-message = Connecting to EDMS Dashboard<br />
8: network-acl = CallCenterVPN<br />
<br />
This is what the ASA reports when connecting.<br />
<br />
<br />
Radius: Type = 25 (0x19) Class<br />
Radius: Length = 15 (0x0F)<br />
Radius: Value (String) =<br />
43 61 6c 6c 43 65 6e 74 65 72 56 50 4e &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | &nbsp;CallCenterVPN<br />
Radius: Type = 25 (0x19) Class<br />
<br />
But the ACL is still not applied……<br />
<br />
Quickly forming a head-shaped hole in the wall here.
</div>


<div>
Well we have an answer at last. &nbsp;Yes, Setting a dynamic access policy (DAP) is the cure. &nbsp;I was unable to use LDAP because multiple LDAP servers in the environment cause the response to be flagged as 'referral'. &nbsp;Radius was set up for authentication, and Cisco TACs suggested using tunnel group type identifier as trigger for DAP. &nbsp;Also sent along a KB telling me to test using radius ID (146) plus 4096 as test value. This information, while documented, is bogus. &nbsp;(See below) &nbsp;Then needed to get MSFT radius to change that value dependent on security group. &nbsp;<br />
<br />
Unable to set value 146 in MSFT radius, but in Network Policy Server you can create a network policy for the security group, and on the settings tab of the properties for that policy add (or change) the 'Class' value to the value you will be testing for in DAP. That will change attribute 25. &nbsp;4096+25=4121, and DAP failed to trigger still. &nbsp;Then tried testing ID 25 for value (actually by accident) and it finally worked!<br />
<br />
From ASDM defining the Access List straight out of the DAP settings is very intuitive. &nbsp;Took only a few minutes more to finish it up.<br />
<br />
Many thanks to all participants.<br />
<a href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html" rel="ugc">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html</a>
</div>


<div>
Wanted to make sure Mathew got a thank you for the link regarding using DAP. &nbsp;Examples from Pete made solution much easier.
</div>


<div>
<div class="content wysiwyg-content">
I am using Cisco ASA firewalls. &nbsp;I would like to use Cisco anyconnect VPN and direct some active directory users to be able to connect only to specific computers inside the network. Other users need unrestricted access. &nbsp;Looking for thoughts on how to design this.<br />
I could create VPN groups on the firewall that have access rules allowing only a single IP and even port to be connected, but all three firewalls would need to be manually updated with usernames and passwords. &nbsp;Additionally, when connecting, the user would have to select the VPN group name.<br />
I could create and active directory user with limited access to specific servers. &nbsp;Radius is already in place. &nbsp;But Restrictions in active directory seem to end at the machine level. &nbsp;I would like these users to only be able to access port 80. &nbsp;(RDP is open for maintenance as well as the usual windows ports)<br />
<br />
Got any creative ideas?
</div>
</div>


I am using Cisco ASA firewalls.  I would like to use Cisco anyconnect VPN and direct some active directory users to be able to connect only to specific computers inside the network. Other users need unrestricted access.  Looking for thoughts on how to design this.
I could create VPN groups on the firewall that have access rules allowing only a single IP and even port to be connected, but all three firewalls would need to be manually updated with usernames and passwords.  Additionally, when connecting, the user would have to select the VPN group name.
I could create and active directory user with limited access to specific servers.  Radius is already in place.  But Restrictions in active directory seem to end at the machine level.  I would like these users to only be able to access port 80.  (RDP is open for maintenance as well as the usual windows ports)

Got any creative ideas?

How to limit VPN access

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Cisco

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.