Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ADvice on TACACS+

Hi there

I am trying to implement the following scenario and would like to know the best solution for me,

We have 2 groups of Remote VPN users 1) support 2)Operations both using Cisco client vpn to log in remotely to our site

1)When members of the support group VPN in, I want our Cisco ASA to give them an IP range from Pool A of Ip addresses and I want them to be authenticated using TACACS and then after successful authentication they are redirected to or only have access to Server A

2)When members of the Operations group VPN in, I want our Cisco ASA to give them an IP range from Pool B of Ip addresses I want them to be authenticated using TACACS and then after successful authentication they are redirected to Server A AND have full access to Servers B,C,D etc

Is this possible? and if so how?

Regards

5 REPLIES
New Member

Re: ADvice on TACACS+

Hi,

Yes this can be done.

This doc will be helpful in configuring the ASA for VPN:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ike.html

On the ACS you create a 2 user groups and link them to their appropriate LDAP/Active Directory groups. Create a downloadable IP ACL on the ACS to DENY SUPPORT group access to servers B,C and D and then the OPERATIONS group will have access to all servers WITHOUT an IP ACL.

Here is a link to downloadable ACL's.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/c.html#wpxref8297

I'm making the assumption that you somewhat understand these features and configurations of these devices. I can elaborate more if needed later on. There are a couple of ways to make your scenario work but this is the first one that comes to mind.

Radius could be used to lock users into their appropriate groups as well.

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

I think its the same for an ASA as for the 3000 concentrator.

HTH

Craig

Silver

Re: ADvice on TACACS+

I have a different philosophy and I call it:

Keep It Simple Stupid (KISS).

I would do the following:

Place your ASA VPN device behind a both outside

and interface behind the firewall,

Setup VPN with two groups, VPN and NetOps,

and use Radius to lock users into appropriate

groups. VPN will get ip pool VPN_pool and

NetOps will get VPN_NetOps.

Create rule on the firewall to allow

appropriate to access resources based on IP

pool.

This way it is much simpler than setting up

download ACL.

Most enterprises setup VPN this way. They

separate the functions of VPN and firewall

into different devices.

my 2c

New Member

Re: ADvice on TACACS+

guys

thanks for your input. The thing with ACS is i doubt we will be willing to spend the thousands on it. The 2nd solution seems more within budget (FREE) so i will test and see i post my findings back here

Thanks once again for your advice

New Member

Re: ADvice on TACACS+

hi guys

Ive set up the following 2nd vpn to allow a support user Remote Access to only one server. The VPN connects ok and assigns the right VPN but when I try to RDP from the support laptop to the server nothing happens. The access lists arent getting hit so Im lost as to why not. Ive also added a static route on the server back to the Remote pool using a different Gateway (as this is in a test environment at present). Any ideas?

IP POOL for Remote user

ip local pool RA_VPN_SUPPORT 192.168.10.11 mask 255.255.255.255

NO NAT

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

For Split Tunnel -

access-list ACL_RA_VPN permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

ACL for RDP to server

access-list ACL_VPN_SUPPORT permit tcp host 192.168.10.11 host 192.168.1.17 eq 3389

access-list ACL_VPN_SUPPORT permit ip host 192.168.10.11 any

CRYPTO MAPS

crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 4 set transform-set RA_VPN_SET

ISAKMP

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

VPNGROUP

vpngroup RA_VPN_SUPPORT address-pool RA_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT dns-server 192.168.1.19

vpngroup RA_VPN_SUPPORT default-domain test.com

vpngroup RA_VPN_SUPPORT split-tunnel ACL_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT idle-time 1800

vpngroup RA_VPN_SUPPORT password ********

Regards

New Member

Re: ADvice on TACACS+

Greetings Soplandor,

This is possible, through ipsec conncection profiles. Within the ipsec connection profile realm you can set the IKE-Peer authentication to Pre-shared Key or Certificate based. Here you would choose also the user auth type which would be Tacacs in this case. You can also assign a separate dhcp pool for each group based on the membership of the vpn user. You can assign group policies to show a different login banner to each group and apply different filters that allow access to only the resources you want each group to have.

136
Views
0
Helpful
5
Replies
CreatePlease login to create content