cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
633
Views
13
Helpful
3
Replies

ASA VPN client locking

mark.j.hodge
Level 3
Level 3

I am running an ASA with multiple VPN Client groups, all authenticating against the same AAA server. Is there a way of preventing a user connecting on an individual group if the know the PSK.

What I want to be able to do is publish the PCF files internally, but prevent unauthorised access.. i.e. only users in the Finance AAA group can connect to the Finance VPN, but everyone can connect to the Users VPN group.

I want to keep as much configuration on the ASA as possibly, with just authentication on the AAA, as we may change AAA server in the future.

3 Replies 3

wharrison2000
Level 1
Level 1

Search on the group-lock command on the cisco site

First you will have to create multiple group-policies on ASA for different type of users.

Then you will have to configure the 25 radius attributes on ACS with the name of

the group-policy you want to have the user linked to.

After Successful authentication, ACS will include the attrib 25 (group-policy) in response. ASA will assign user the thr group policy it received from ACS.

After Authentication ACS will response back with Group-policy name and ASA will use that group-policy for the user.

HTH

Syed Iftekhar Ahmed

I've recently just done this.

Syed has the acs part down.

Heres a sample config part for ASA.

group-policy VPNC_TEST_GP attributes

group-lock value TEST_VPN_GROUP

default-domain value MYDOMAIN.COM

tunnel-group TEST_VPN_GROUP type remote-access

tunnel-group TEST_VPN_GROUP general-attributes

address-pool TEST_POOL

authentication-server-group RAD_VPN_GRP LOCAL

accounting-server-group RAD_VPN_GRP

default-group-policy VPNC_TEST_GP

tunnel-group TEST_VPN_GROUP ipsec-attributes

pre-shared-key *

***********************

On ACS, Group setting Radius IETF ATTR 25

************************

OU=VPNC_TEST_GP;

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: