ASA: associate VPN users (RADIUS authenticated) with VPN group policy

rasmusan1 · ‎05-11-2007

Hello

i have a set up with a Cisco ASA 5520 with remote access VPN (using Cisco VPN client) and 3 different VPN group policies, each with different levels of access. the Users are authenticated using RADIUS against a Windows server 2003 Active Directory. Is it in any way possible to associate specific users with specific VPN group policies, without using LOCAL authentication or Cisco ACS server ?

best regards

martin.elliott · ‎05-11-2007

I had a similar problem, so my solution was to have three different VPN groups on the ASA, they all use the same authentication server but each group has different parameters.

rasmusan1 · ‎05-11-2007

yes, I have also set up 3 different VPN groups with different access-lists to specify the access. But the problem is, that the difference (and security) only lies in the profile (.pcf file) if for example user A only has limited access to the network through his VPN profile and user B has full access through his VPN profile, then user A can just copy user B's .pcf file and then use his own username/password (which is his Windows server 2003 AD username/password) and that way gain full access.

I want to bind a VPN group to an AD user account, so that a user can only login using the Cisco VPN client, using the VPN profile he is intended to use.

hope that you understand what i mean...

acomiskey · ‎05-11-2007

I can't think of a way to do this with IAS. You would need the ASA to pass the group name so you could create separate remote access policies, then tie them to separate windows groups.

cpembleton · ‎05-11-2007

You could also do it with the ACS server. Configure the radius to pass auth to AD.

You can configure ACS to dump the user into different groups. Gives you many options for controlling access like downloadable ACL's, access hours, and Network Access Profiles.

Little extra cost but much more flexible.

Thanks,

Chad

acomiskey · ‎05-11-2007

His question was whether or not he could do it without ACS.

cpembleton · ‎05-11-2007

My fault, was skimming and missed the last part.

Use certificates instead of PSK. The tunnel group setting needs to be part of the cert. So your .pcf will not contain a tunnel group. When the connection comes in it will read the value and stick the user in the desired tunnel-group.

Without certs the IAS will not give the desired result. You can control what parameters make up a valid authentication. The only extra thing it has is being able to assign a VLan which will only work on Ethernet or WiFi.

Thanks,

Chad

acomiskey · ‎05-11-2007

Chad,

How does that work with AD? Wouldn't you still have to associate a tunnel-group with an account in AD? Maybe I misunderstood but all I would have to do is use a laptop with a cert for a tunnel-group I did not belong to and login with my AD credentials? Maybe not, I don't know much about certs. thanks.

cpembleton · ‎05-14-2007

The Cert replaces the group name and password auth within the .pcf file. You have to configure the ASA to trust the issuing CA. So the cert allows the firewall to accept the incoming request the place it in the correct tunnel-group.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a00806370eb.html

Once the connection request is accepted and placed in the correct tunnel group the user authentication will occur which can be pointed to AD via IAS.

You would need the private key in order to login and be assigned to the correct tunnel-group. Which only the user it was assigned to should have. In the event that it was stolen or compromised you just make the cert invalid and the firewall will just reject the connection request. Much more secure and easier to maintain then PSK in a large infrastructure.

PKI:

http://en.wikipedia.org/wiki/Public_key_cryptography

Hope this answers your question. Let me know.

Thanks,

Chad