Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
4
Replies

Group ACLs on ASA for SSL VPN

paulhignutt
Level 1
Level 1

‎05-07-2007 06:14 PM - edited ‎02-21-2020 03:01 PM

Equipment:

ASA 5520 VPN Plus Software Version 7.2(2)

SSLClient Windows Version 1.1.3.173

ACS 4.1 Solution Engine

I have a client that wishes to configure multiple groups for SSL VPN access. They would like for instance to have 2 groups:

user

vendor

They then want to disable split-tunneling for all groups, and for each group have a different ACL applied to filter traffic. For example they want users in the vendeor group to only have access to a DNS server for DNS and then RDP to a Windows server. All of this they want authenticated by AD through ACS. Is the way to accomplish this through NAC, or is there another way?

Thanks in advance for any help.

Labels:
0 Helpful
4 Replies 4

paulhignutt
Level 1
Level 1

‎05-07-2007 08:12 PM

OK, let me clarify... I have everything, including the filters, working except for tying a user to a specific group. I just don't know how to tie a user to a specific tunnel group, when that user is being authenticated via ACS. How do I do that?

The end goal is to make sure that a user cannot use a group other than what what we want. Ie. a vendor can't use the user group to bypass ACL restrictions. Is this done with "group lock"?

0 Helpful

h.parsons
Level 3
Level 3
In response to paulhignutt

‎05-08-2007 09:47 AM

This is out of the ASA Configuration Guide:

Using the Security Appliance Authentication Server

You can configure users to authenticate to the security appliance internal authentication server, and

assign these users to a group policy on the security appliance.

Using a RADIUS Server

Using a RADIUS server to authenticate users, assign users to group policies by following these steps:

Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group

policy.

Step 2 Set the class attribute to the group policy name in the format OU=group_name

For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value

of OU=SSL_VPN; (Do not omit the semicolon.)

0 Helpful

paulhignutt
Level 1
Level 1
In response to h.parsons

‎05-08-2007 09:51 AM

Yeah, I've read that part. But what do you do on the ASA (if anything) to insure that it uses that information to keep those users in the respective groups?

0 Helpful

h.parsons
Level 3
Level 3
In response to paulhignutt

‎05-09-2007 03:53 AM

Its been a while since I set this up but I believe thats all you have to do. The group-lock feature is to tie a group policy to a tunnel group which we do also. We want the VPN connections to be very predictable.

0 Helpful
Customers Also Viewed These Support Documents