Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
5
Replies

vpn with RSA tokens

Nicholas Wysocki
Level 1
Level 1

‎05-10-2010 12:17 PM

Is there a to have the asa when people vpn in to the asa it will put them on there vlan used internal by authentication?

I am currently implementing the use of RSA tokens for vpn in access. it works with the protocal SDI. Currenlt i use an address pool for the vpn. everyone that logs in get put on the same address pool.

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-10-2010 12:48 PM

Hi,

The only way I see to be able to put VPN users in their corresponding VLAN, is to assign them their corresponding IP address.

i.e

You have three VLANs:

VLAN X

VLAN Y

VLAN Z

So, you can have three VPN pools, to assign to the clients based on their profile.

They will receive an IP address depending on which profile they connect to (corresponding VLAN).

Is this what you want?

Federico.

0 Helpful

Nicholas Wysocki
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-10-2010 12:55 PM

I know i would have to creat a logical interface per vlan. The host when logging in inside are assiged by dhcp /24. If i was to give the same address pool per vlan there might be duplicated ip's. But with trying to give all the empliyes one address to vpn on who would the asa know which pool to pool from? Is there any way to get info from the SDI server when they login?

0 Helpful

sjbdallas
Level 1
Level 1
In response to Nicholas Wysocki

‎05-10-2010 01:01 PM

The RSA server can't to that.  I think you'd need to use a RADIUS server to apply those attributes.

Have all your auth go against the RADIUS server and assign VLANs based on some attribute there (userid, IP they're coming from, etc)

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to sjbdallas

‎05-10-2010 01:04 PM

Steven,

Not sure if you can get those attributes from SDI server.

However on the ASA itself, you can force a VPN client to authenticate to an specific group and obtain the network information and all parameters from that specific group.

Federico.

0 Helpful

Nicholas Wysocki
Level 1
Level 1

‎05-10-2010 01:26 PM

The Radius server is the SDI server as well, its built in. When i changed the aaa-server to use the radius part. the user name and password pops up but my credential did not work. I even tried putting the token number for the password. What is the config would be able to pull the group info and use as part of the assigment?

0 Helpful
Customers Also Viewed These Support Documents