10-14-2009 01:13 AM - edited 03-11-2019 09:25 AM
Hello all,
Do you know if there is a way to deny trafic through a CISCO ASA for all non-domain users?
Or do we have to use a NAC system ? (and, if yes, what kind of NAC system?)
Many thanks
regards,
10-14-2009 04:33 AM
NAC is a way to go http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html.
You can also use ACS to authenticate users before going through the ASA. You can also integrate ACS with your Active Directory.
Not very trivial tasks but the technology is there to support them.
PK
10-18-2009 11:59 PM
Hello,
ACS seems to be a good way. However, I can't find any information about authenticating trafic users on ASA with ACS. I only saw documentation on how secure access on the firewall with ACS, but nothing about authenticating users when they are trying to pass through the FW.
Can someone help me by providing me some URL about it?
Many thanks
10-14-2009 10:10 AM
If you are trying to do this for VPN connections into your ASA:
-you can deny the non-domain users from logging in with ldap attribute maps or dap
-you can also restrict access with a vpn-filter acl or webvpn type acl applied in the group policy
10-21-2009 12:43 AM
Hello hdashnau,
It's not for VPN connections but for all trafic from one local zone to another.
I'm still looking for a way to do that, with ACS or NAC, but i can't find any documentation on it.
Did someone already face this issue?
Many thanks,
Regards
10-21-2009 06:08 AM
Hi K,
have a look at "cut-through proxy" aka "AAA for network access" :
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html
hth
H
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide