ACS 4.2 SE & Windows 2003, AD Group Restrictions?

stuart.baker · ‎09-16-2009

Hi All,

I'm sure this question has already been asked and the solution is simple - however it does not appear to be obvious!

My requirement is to have an AD group called 'CiscoAdmins' and another called 'VPNUsers'. Using ACS I want to only authorise members of the 'CiscoAdmins' group to perform telnet/SSH etc. and only permit members of the 'VPNUsers' group to connect in remotely via an ASA firewall. So in other words, authentication should only PASS if the user is a member of a particular AD group.

We currenty have all authentication/accounting working as needed using TACACS - refering to (Windows Database NOT LDAP) AD for correct username/password. However, we've noticed that members of the 'CiscoAdmins' group can perform VPN authentication and visa-versa - which is not so good. This is despite setting up the AD/ACS group mapping etc. and re-ordering many many times!

Is TACACS OK or should we revert to RADIUS & the same goes for Windows Database v LDAP ..?

I've trawled the net and this forum to no avail - please help!

There must be a guide somewhere for this simple request surely?

Regards,

Stu

Jagdeep Gambhir · ‎09-16-2009

Hi Stu,

To achieve it we need to set up Network access restriction option in ACS group setup.

Please check this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Let me know if you have any question.

Regards,

~JG

Do rate helpful posts

stuart.baker · ‎09-16-2009

Hi JG,

I've already seen that paper - and although descriptive am still none the wiser as it does not give any example. What property do I check against? as there is no AD group membership property ..

You HAVE however confirmed my thougts that a NAR is the way forward ..

Can you confirm that using TACACS is OK for what I want to do? i.e I will not need to revert to RADIUS or setup a LDAP database connection.

Are there any configuration examples to help?

Thanks again,

Stu

Jatin Katyal · ‎09-16-2009

Hi Staurt,

As you have two groups

CiscoAdmins // Should have ssh/telnet access // No access to vpn

VPNUsers // Should have access to VPN

// No access to ssh/telnet

Now, since in both session calling station id is an ip address. It can't be archived via NAR.

Here we also have to use radius protocol so please add ASA as a radius client in network configuration.

Try this:

On the Ciscoadmins group

========================

we need to configure following attribute on ACS's Group or User :

For RADIUS (Cisco VPN 3000/ASA/PIX 7.x+) check "[026/3076/085] Tunnel-Group-Lock"

and type any garbage value, Though on ACS you'll see successful authentication, but user will never be able to connect via VPN but they will be able to do ssh/telnet.

On the VPNUsers

===============

You need to configure downloadable access-list. using this feature you can block ssh and telnet ports and user should have access only to VPN.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

Let me know if you have any query.

HTH

Regards,

JK

~Jatin

stuart.baker · ‎09-16-2009

Thanks again JK,

I'll give this a go and feedback ..

So just to confirm, am I right in understanding that there is NO way of restricting access simply by checking AD group membership? Therefore the only way is to restrict certain elements as you describe? Seems like a lot of work ..

Regards,

Stu

Jatin Katyal · ‎09-16-2009

Hi Staurt,

I do agree that there is pain configuring DACL :(.

If your AD start acting as LDAP server... this is far easier then what you are gonna do?

HTH

Regards,

JK

~Jatin

stuart.baker · ‎09-16-2009

Hi JK,

So If I configured my AD as a 'Generic LDAP' rather than a 'Windows Database' it would make the configuration simpler?

Happy to do so if this is the case (likewise with choice between TACACS or RADIUS)...

I'm looking for the simplest configuration that will be easy to maintain ..

What would the configuration look like in this case?

Thanks again,

Stu

Jatin Katyal · ‎09-16-2009

In that case, ACS will not be of any use.

We have to completely by-pass the ACS and get the ASA integrated directly with LDAP server.

//AAA-server configuration//

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap attribute-map CISCOMAP

//Restricting VPN access//

ldap attribute-map CISCOMAP

map-name msNPAllowDialin IETF-Radius-Class

map-value msNPAllowDialin FALSE NOACCESS

map-value msNPAllowDialin TRUE ALLOWACCESS

You should have 2 group-policy (1 for allow access and 1 for deny access)

NOTE: On the AD, you can restrict users base on dial in access.

All info available in configuration example:

http://www.cisco.com/application/pdf/paws/91831/mappingsvctovpn.pdf

//Restricting SSh/telnet access//

map-name memberOf IETF-Radius-service-type

map-value memberOf service-type 6

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

Seems difficult but its not :)

Feel free to contact for any query.

HTH

Regards,

JK

~Jatin