vpn account centralise management

Unanswered Question
Sep 2nd, 2009

Hi all. My company has many site offices all over the world and the staff working in my HQ office need to support the multiple site offices worldwide. They do their support by establishing vpn to the various site office. All my site office are installed with cisco asa 5510. And i need to create a vpn account on all the individual asa 5510 boxes for every HQ staff that does remote support. Pls advise if there is any program from cisco or 3rd party that allow me to centralise manage vpn accounts. Thks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 09/02/2009 - 08:55

Don, if I understand your requirements your company have may remote site branches all with ASA5510s, so HQ folks have to RA VPN using cisco vpn cleint? I can understand the admin burden to creating local user accounts on each of thoese firewalls.. is there a reason why you are not using permanent Lan-to-Lan HUB to spoke vpns, I think L2L would be a more practical solution which does not requires individual RA VPN client to connect to them.. you can even have all permanent Ipsec tunnels communicate one another through QA HUB firewall.


donnie Thu, 09/03/2009 - 21:32

Hi Jorge. Your description of my company scenario is correct. We did not setup site to site vpn to various sites as there are many confidential information hosted in my HQ network that my management is not comfortable should the remote sites be able to access this same network. Is there a centralise management software that you can reccommend? Thks.

JORGE RODRIGUEZ Fri, 09/04/2009 - 08:03

Hi Don, I do not see a way how you could have a centralized VPN users account management system for users with your scenario, there are many ways to have centralized users accounts management system, few comes to mind such as IAS RADIUS, LDAP Windows Active directory where you can create in your HQ but this will not work as you indicated your HQ users initiate RA VPN from the HQ to the remote branches and not the other way around.

I think in a sitiation like this I would probably try to isolate those sensitive systems in the HQ that management is concenr about and have the branches do L2L vpn , with L2L vpn you dont have to open up everything, you can still be granular using source IP and destination IP we asll we tcp or udp port for L2L tunnel, and for users in remote branches needing access to sensitive system you then use Active directory for server system autentication.

If still L2L is not a solution for you, you could change the policy with RA VPN, instead of HQ users RA VPN into the remote branches have the remote branches RA VPN to the HQ and be able to have a centralized users account in your HQ, you could use DAP (Dynamic Access Policies) that works with LDAP or RADIUS and at the same time control what these RA VPN users from remote branches connecting to HQ can and cannot have access to.


If RADIUS or AD is not a solution for you,you can also look into per users VPN filters -and implement this in your HQ firewall and have the ASA as local users management device that also controls what users can and cannot access. Again, this would be in the scenario where branches RA VPN into HQ.




This Discussion