Restricting IPSec to certain users/groups

Unanswered Question
Apr 26th, 2010

Dear friends,


There is a requirement to restrict IPSec access and confine it to a few users only.

The setup we have is VPN Concentrator 3015 4.7.2P--> ACS Solution engine 4.2 -->LDAP -->Windows AD.

The LDAP server has around 30-35 groups and we have a few of them only to allow access.


I am not sure of what is the best way to allow access to only a few users.
Currently, anyone having the group name and password can login. But we want to restrict IPSec access to only a few groups.

In response to this requirement, i had configured Radius authorization on vpn concentrator and i created a test ACS local group where i had configured a RADIUS attribute with a split tunnel access-list thats defined on the concentrator. This access-list is a dummy access-list that permits a small /29 subnet through the vpn. So, basically my idea was that i will restrict vpn control to specific users by having acs local groups mapped to ldap groups and then configure these local groups to push a Radius attribute 026\3076\027 "ipsec-split-tunnel-list" to the vpn concentrator.

This worked for me but the client wants a more finer solution in this regard. He wants something to the effect of denying a user at the authentication stage itself. Is it possible?


Would really appreciate any suggestions / pointers form this.


Thanks a lot
Gautam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gautamzone Mon, 04/26/2010 - 11:18

Dear Jagdeep,


Thanks a lot for the valuable information.

However, if i apply NAR to a group, does it take effect for IPSec sessions alone or also for WebVPN sessions?


Just wanted to add that the VPN concentrator is a Radius client to ACS for both WebVPN and IPSec VPN.

And i need to apply NAR only for IPSec VPN.


The WebVPN users have no such restrictions as it a service open to all.


Do you have any suggestions on how do we achieve this?


Thanks a lot

Gautam

jelloyd Tue, 04/27/2010 - 07:45

Gautam,


The problem seems to be that anyone existing in AD can get in granted that they have the VPN3000 groupname/password combo.  If your client wants to stop users from getting in at the authentication stage, you can do this by eliminating the use of groupname/password for phase 1 authentication.  If you use digital certs for phase 1 authentication, you can effectively control who can get in and who cannot.  If you use something like MS CA to generate and issue the certificates, you can mark them as non-exportable such that whoever you issue the cert to cannot "copy" the cert over to another machine and have it function there.  This would guarantee two things:


1) That a specific user is the only one allowed to get in to the VPN

2) That this user can only get in from the particular machine where they've installed the cert


However, if you are looking to accomplish this with the existing setup (ie. groupname/password) and not digital certs, and if you are open to configuring a local ACS user group, you could employ the group-lock feature bewteen the VPN3000 and ACS.  With this feature, you can assign ACS users to a corresponding group on the VPN3000 device.  You could then setup one group to allow all VPN access, while you setup another one to block all access.  You could then control which users get mapped to which groups within ACS:


http://www.cisco.com/en/US/partner/tech/tk59/technologies_configuration_example09186a00800946a2.shtml


You may also be able to use NAC or NAC Framework to do identity based restriction.  I took a quick peek at the deployent guide (pgs. 22 - 24) for NAC Framework and see that there looks to be an option for allowing network access based on identity in addition to posture assessment.


http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd80417226.pdf


The NAC Framework solution uses a combination of the VPN3000 talking to RADIUS and CTA client running in the background on the client machine.


Hope this helps,

-Jeff

Actions

This Discussion