11-12-2008 08:25 AM - edited 02-21-2020 04:01 PM
I have been given a request by a client to create a profile for a VPN client. The requirements for this VPN client will be that they can access only one of our Production VLAN's within our network, and be blocked from the rest.
Our network design is as follows: VPN clients connect to our ASA appliance using Cisco VPN client. The ASA is then configured to use TACACS+ and send the authentication requests for VPN users to our Cisco ACS server. The ACS server is then configured to query Active Directory for the user. If the provided user credentials are correct, and match Active Directory, then TACACS+ allows the connections.
I think I can configure the scenario as follows:
I will have to create a user in Active Directory for the specific account. Then somewhere on the ASA (perhaps in dynamic Access rules?) i will create a rule or profile that allows the user to see our VLAN 6 but no others.
I would appreciate any input or instruction with respect to this.
Thank You in advance.
11-12-2008 10:24 AM
Hello Kevin,
You can simply achieve this using vpn-filter
Regards
11-12-2008 08:14 PM
Sorry if I sound like I hijacked the post. I've read the document. Just wanted to know what to do if you wanted to terminate different client groups on the same infrastructure? I'm thinking that the vpn-filter would work assuming that you have only one VPN group. Can you:
- create different ip pools for different VPN groups?
- create and apply different vpn-filters to different VPN group?
I've done something similar to what Kevin described in my network but using a MS RADIUS server instead.
Kevin, if you're interested please let me know
11-13-2008 02:36 AM
Vpn-filter can be applied to many groups, not limited to only one group. I suggested vpn filter that asker mentioned "create a profile for vpn client". A differnet tunnel-group and group policy for that specific client (a new profile) and a vpn filter that denies that specific vlan subnet, while other VPN clients access without restriction by using their profile.
Actually, If you have one group, and dont want to create a new group, now MSRADIUS is the solution. You can use downloadable acls. Takes more time for configuring RADIUS
11-17-2008 07:41 PM
This is what I have configured so far
in ASDM:
Configuration>Remote Access VPN>Network Access>Group Policies: created a Group Policy for the New user company.
Configuration>Remote Access VPN> Network Access>Address Assignment>Address Pools:
created a 2nd address pool that will be specific for this client only
Configuration>Remote Access VPN> Network Access>Dynamic Access Policies: created a Dynamic Access Policy for this user that matches on AAA attributes "cisco.username" + "cisco.ipaddress". Created a Network ACL Filter that matches source address to the 2nd IP pool address to the allowed VLAN address.
So far when I select "Test Dynamic Access Policies" button, and then select any of the attributes including "Group Policy", "assigned IP Address", "Username" with AAA attribute type "Cisco" selected, it comes back with the result "continue"...
11-17-2008 07:51 PM
i recommend using LDAP authentication and LDAP mapping in this case. you can use just one tunnel group, and then do attribute mapping with LDAP.
for example, on the ASA, you can say:
if the authenticated user resides in this Active directory OU, or is a memmber of this group, then apply this group-policy.
within the group-policy, apply your vpn-filter.
....all this using just one tunnel-group.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
11-18-2008 12:22 PM
At this point, I have a working configuration with respect to the fact that I can authenticate the VPN client with the new username and password. I establish the tunnel. But for some reason, the client is NOT restricted to the one VLAN that I wrote the ACL for.
I am not sure why this is happening. There are not hits on my ACL.
I have the ACL associated with a dynamic access policy. Should I have it configured in another place?
11-19-2008 07:55 AM
post your vpn config..
verify your test user is being assigned the right group-policy.
11-19-2008 02:05 PM
It is definitely getting the correct policy because it assigns as IP address from the correct pool.
Here is the config:
access-list Allerton extended permit ip host 10.10.1.101 VLAN6 255.255.255.0
access-list Allerton extended permit ip host 10.10.1.102 VLAN6 255.255.255.0
ip local pool allertonpool 10.10.1.101-10.10.1.102 mask 255.255.255.0
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record Allerton
description "Allow Allerton User access to VLAN 6 only"
network-acl Allerton
group-policy DfltGrpPolicy attributes
wins-server value 198.100.100.216
dns-server value 198.100.100.216 198.100.100.221
vpn-tunnel-protocol IPSec webvpn
default-domain value boarsheadinn.com
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
group-policy GroupPolicy1 internal
group-policy vpn3000 internal
group-policy vpn3000 attributes
dns-server value 198.100.100.216
default-domain value cisco.com
group-policy bhivpn internal
group-policy bhivpn attributes
dns-server value 198.100.100.216
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value boarsheadinn.com
group-policy Allerton internal
group-policy Allerton attributes
address-pools value allertonpool
username scot password 0M2vA8UILCS3d1da encrypted privilege 15
username lori password Yr/gR83NybANK3/d encrypted
username lori attributes
service-type remote-access
username mike password Wsj.4X2eWmD2US.x encrypted privilege 15
username michael password hwK5CLnjFad6pOit encrypted
username michael attributes
service-type remote-access
username Allerton password zuCL/.ny007Tpc/h encrypted
username Allerton attributes
service-type remote-access
username kevin password XmTFZixn8OcGdJ2G encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) vpn
default-group-policy GroupPolicy1
tunnel-group bhivpn type remote-access
tunnel-group bhivpn general-attributes
address-pool ippool
authentication-server-group vpn LOCAL
default-group-policy bhivpn
tunnel-group bhivpn ipsec-attributes
pre-shared-key *
tunnel-group 206.248.224.2 type ipsec-l2l
tunnel-group 206.248.224.2 ipsec-attributes
pre-shared-key *
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool ippool
authentication-server-group vpn
accounting-server-group vpn
default-group-policy bhivpn
tunnel-group remote ipsec-attributes
pre-shared-key *
tunnel-group 24.127.125.200 type ipsec-l2l
tunnel-group 24.127.125.200 ipsec-attributes
pre-shared-key *
tunnel-group Allerton type remote-access
tunnel-group Allerton general-attributes
address-pool allertonpool
authentication-server-group vpn LOCAL
default-group-policy Allerton
tunnel-group Allerton ipsec-attributes
pre-shared-key *
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: