ADvice on TACACS+

Unanswered Question
Sep 23rd, 2008
User Badges:

Hi there


I am trying to implement the following scenario and would like to know the best solution for me,


We have 2 groups of Remote VPN users 1) support 2)Operations both using Cisco client vpn to log in remotely to our site


1)When members of the support group VPN in, I want our Cisco ASA to give them an IP range from Pool A of Ip addresses and I want them to be authenticated using TACACS and then after successful authentication they are redirected to or only have access to Server A

2)When members of the Operations group VPN in, I want our Cisco ASA to give them an IP range from Pool B of Ip addresses I want them to be authenticated using TACACS and then after successful authentication they are redirected to Server A AND have full access to Servers B,C,D etc


Is this possible? and if so how?


Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
craig.eyre Tue, 09/23/2008 - 08:36
User Badges:

Hi,


Yes this can be done.


This doc will be helpful in configuring the ASA for VPN:


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ike.html


On the ACS you create a 2 user groups and link them to their appropriate LDAP/Active Directory groups. Create a downloadable IP ACL on the ACS to DENY SUPPORT group access to servers B,C and D and then the OPERATIONS group will have access to all servers WITHOUT an IP ACL.


Here is a link to downloadable ACL's.


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/c.html#wpxref8297


I'm making the assumption that you somewhat understand these features and configurations of these devices. I can elaborate more if needed later on. There are a couple of ways to make your scenario work but this is the first one that comes to mind.



Radius could be used to lock users into their appropriate groups as well.


http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml


I think its the same for an ASA as for the 3000 concentrator.



HTH



Craig

cisco24x7 Tue, 09/23/2008 - 11:19
User Badges:
  • Silver, 250 points or more

I have a different philosophy and I call it:

Keep It Simple Stupid (KISS).


I would do the following:


Place your ASA VPN device behind a both outside

and interface behind the firewall,


Setup VPN with two groups, VPN and NetOps,

and use Radius to lock users into appropriate

groups. VPN will get ip pool VPN_pool and

NetOps will get VPN_NetOps.


Create rule on the firewall to allow

appropriate to access resources based on IP

pool.


This way it is much simpler than setting up

download ACL.


Most enterprises setup VPN this way. They

separate the functions of VPN and firewall

into different devices.


my 2c

solpandor Wed, 09/24/2008 - 00:33
User Badges:

guys

thanks for your input. The thing with ACS is i doubt we will be willing to spend the thousands on it. The 2nd solution seems more within budget (FREE) so i will test and see i post my findings back here


Thanks once again for your advice

solpandor Mon, 09/29/2008 - 06:24
User Badges:

hi guys

Ive set up the following 2nd vpn to allow a support user Remote Access to only one server. The VPN connects ok and assigns the right VPN but when I try to RDP from the support laptop to the server nothing happens. The access lists arent getting hit so Im lost as to why not. Ive also added a static route on the server back to the Remote pool using a different Gateway (as this is in a test environment at present). Any ideas?


IP POOL for Remote user

ip local pool RA_VPN_SUPPORT 192.168.10.11 mask 255.255.255.255


NO NAT

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0


For Split Tunnel -

access-list ACL_RA_VPN permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0


ACL for RDP to server

access-list ACL_VPN_SUPPORT permit tcp host 192.168.10.11 host 192.168.1.17 eq 3389

access-list ACL_VPN_SUPPORT permit ip host 192.168.10.11 any


CRYPTO MAPS

crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 4 set transform-set RA_VPN_SET


ISAKMP

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400


VPNGROUP

vpngroup RA_VPN_SUPPORT address-pool RA_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT dns-server 192.168.1.19

vpngroup RA_VPN_SUPPORT default-domain test.com

vpngroup RA_VPN_SUPPORT split-tunnel ACL_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT idle-time 1800

vpngroup RA_VPN_SUPPORT password ********



Regards


Rudy.villalona Mon, 09/29/2008 - 07:57
User Badges:

Greetings Soplandor,


This is possible, through ipsec conncection profiles. Within the ipsec connection profile realm you can set the IKE-Peer authentication to Pre-shared Key or Certificate based. Here you would choose also the user auth type which would be Tacacs in this case. You can also assign a separate dhcp pool for each group based on the membership of the vpn user. You can assign group policies to show a different login banner to each group and apply different filters that allow access to only the resources you want each group to have.

Actions

This Discussion