05-07-2007 06:14 PM - edited 02-21-2020 03:01 PM
Equipment:
ASA 5520 VPN Plus Software Version 7.2(2)
SSLClient Windows Version 1.1.3.173
ACS 4.1 Solution Engine
I have a client that wishes to configure multiple groups for SSL VPN access. They would like for instance to have 2 groups:
user
vendor
They then want to disable split-tunneling for all groups, and for each group have a different ACL applied to filter traffic. For example they want users in the vendeor group to only have access to a DNS server for DNS and then RDP to a Windows server. All of this they want authenticated by AD through ACS. Is the way to accomplish this through NAC, or is there another way?
Thanks in advance for any help.
05-07-2007 08:12 PM
OK, let me clarify... I have everything, including the filters, working except for tying a user to a specific group. I just don't know how to tie a user to a specific tunnel group, when that user is being authenticated via ACS. How do I do that?
The end goal is to make sure that a user cannot use a group other than what what we want. Ie. a vendor can't use the user group to bypass ACL restrictions. Is this done with "group lock"?
05-08-2007 09:47 AM
This is out of the ASA Configuration Guide:
Using the Security Appliance Authentication Server
You can configure users to authenticate to the security appliance internal authentication server, and
assign these users to a group policy on the security appliance.
Using a RADIUS Server
Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
policy.
Step 2 Set the class attribute to the group policy name in the format OU=group_name
For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
of OU=SSL_VPN; (Do not omit the semicolon.)
05-08-2007 09:51 AM
Yeah, I've read that part. But what do you do on the ASA (if anything) to insure that it uses that information to keep those users in the respective groups?
05-09-2007 03:53 AM
Its been a while since I set this up but I believe thats all you have to do. The group-lock feature is to tie a group policy to a tunnel group which we do also. We want the VPN connections to be very predictable.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide