06-11-2008 09:46 AM - edited 03-10-2019 03:54 PM
Hi Guys,
We have a Cisco ASA 5510 and ACS 4.1 configured and the users can VPN into ASA and are authenticated by the ACS which is mapped to Active Directory and all works well.
I now need to know how to configure VPN access to allow certain groups to have access only to certain IPs or IP ranges.
Please any help or links appreciated.
06-11-2008 12:01 PM
Use the command "vpn-filter value YOUR-ACL-NAME" under your group-policy.
Then create the Access-list with the ip/ports you want them to access.
For example:
group-policy TEST internal
group-policy TEST attributes
dns-server value 10.1.1.60
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TEST_splitTunnelAcl
default-domain value TEST.com
vpn-filter value TEST_ACL
access-list TEST-ACL extended permit ip 10.1.1.0 255.255.255.0 10.1.3.3 255.255.255.255
This will allow access to any TCP ou UDP ports on host 10.1.3.3
06-11-2008 02:11 PM
Thank You.
I was able to set access through different tunnel groups on the ASA. This will require different configs in the Cisco VPN client.
Is there a way to have a single tunnel group and then somehow set ACL that are tied to different groups in Active Directory? That way all Cisco VPN clients are configured the same way but based on AD group would define access control?
06-11-2008 05:31 PM
Yes it's possible.
I am using one tunnel-group and many group-policy that matches some Windows Group in AD. So all I have to do is assign a particular windows user to a group to give him/her VPN access.
First: Specify a ldap-attribute-map under your aaa-server section. Also, you will need a user account with at least domain user rights in your domain (in my example the user is VPN-LDAP-User)
aaa-server VPN_AUTHOR protocol ldap
aaa-server VPN_AUTHOR (inside) host YOUR-LDAP-SERVER-IP
ldap-base-dn DC=your_domain,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password (VPN-LDAP-User's password in AD)
ldap-login-dn CN=VPN-LDAP-User,CN=Users,DC=your_domain,DC=com server-type microsoft
ldap-attribute-map Map_Groups_VPN
Secondly: Map The AD group to a group Policy on your Pix/ASA
ldap attribute-map Map_Groups_VPN
map-name memberOf cVPN3000-IETF-Radius-Class
map-value memberOf CN=VPNGroupA,OU=VPN_Acces,OU=SECURITY,DC=your_domain,DC=com GroupA
map-value memberOf CN=VPNGroupB,OU=VPN_Acces,OU=SECURITY,DC=your_domain,DC=com GroupB
In the above example,if user john is member of Windows Group "VPNGroupA", he will be mapped to group-policy GroupA on ASA.
Then you create the GroupA policy similar to this:
group-policy GroupA internal
group-policy GroupA attributes
dns-server value 192.168.0.11 192.168.0.6
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
default-domain value your_domain.com
address-pools value Pool_Groupa
Please rate if this helps. It's hard to find good how-to for this so I'm glad to give you the detailed steps.
NB: Use "Debug ldap 255" to see how your LDAP query and mapping goes and seek for errors."
Also, make sure you have no spaces in your OU name under AD, because the ASA will not accept your map-value command (I had to figure it out after 2 hours of troubleshooting because I used "VPN Access" originallly)
06-15-2008 08:41 AM
Thank you very much for the instructions. I am a complete CLI newbie but I see if I am going to be doing any advanced config or getting help from the forums I am going to have to learn.
So while I am not exactly sure how to implement this yet I am going to go through slowly and figure it out.
Thanks again.
10-24-2009 01:44 PM
hi,
I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
ACS Groups
Netadmin - need telnet/ssh/vpn/wireless
wireless - only wireless authentication
vpn - only vpn authenticaiton
I need to map the above ACS groups to one/or many AD groups and restric access as stated.
Also please note that one user can be belongs to all three groups in ACS/AD.
thanks in advance.
11-07-2009 12:18 PM
I have been looking for some time to find exactly these instructions. They worked for me the very first time!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: