Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
1
Replies

Authentication of inside users ASA (EasyVPN)

stormfidus
Level 1
Level 1

‎12-08-2008 06:45 AM - edited ‎03-10-2019 04:13 PM

Greetings All

Authentication of users behind ASA 5505 connected to VPN3000 Concentrator with EasyVPN

According to the law in a certain country, we need to log the following:

Time & Datestamp

Username/ip address of the pc inside

Which sites they have visited (ip's, URL's etc..)

Eg. 11/4-2008 domain\john ip 192.168.2.23 visited ip 212.232.232.21/80

I would like to achieve this with using the ASA 5505 and my Cisco ACS 4.1 on my LAN behind the VPN3000 Concentrator.

Im trying to setup forced authentication for the users on the inside interface (lan) of the ASA5505. I need to force them to authenticate before they will be able to get any access outside their lan.

I have read on the forum, and tried som different solutions, but not been able to get any solution to work with all the needed info and also to work in conjunction with EasyVPN (Network Extension-Mode).

I tried with cut-thru proxy solution from the guide here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

It does not work, because the include/exclude statements is not allowed in conjunction with EasyVPN.

Error: WARNING: <_vpnc_nwp_acl> found duplicate element

WARNING: <_vpnc_nwp_acl> found duplicate element

Hybrid configurations using 'match' and 'include|exclude' are not supported

I have then looked at enabling "Individual User Authentication (IUA)", but since Im using split-tunneling, it seemes like its only for the

tunnelled networks authentication is enforced. And I dont want to tunnell all- hence the repsone-times to the remote site is very high.

Last I tried to make som HTTP redirect with aaa authentication listener http[s] interface_name [port portnum] [redirect], but thats also not

allowed in conjunction with EasyVPN.

Error:

* Remove 'aaa authentication listener' configuration

CONFIG CONFLICT: Configuration that would prevent successful Cisco Easy VPN Remote

operation has been detected, and is listed above. Please resolve the

above configuration conflict(s) and re-enable.

The ASA is currently running IOS 7.2(4), but there's no problem in upgrading it to 8.0(4) if that could help me make a solution.

Is it possible to make this work somehow ?

/Claus

Labels:
0 Helpful
1 Reply 1

nefkensp
Level 5
Level 5

‎12-11-2008 11:44 AM

Hello Claus,

Have you tried downloadable access lists in combination with the ACS for the authentication? You can then use the accounting options of that downloadable access list to register who has done what.

You can do this in combination with the virtual http listener or the virtual telnet listener.

Check out: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwaaa.html

Hope this helps

Regards

P-J Nefkens

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents