Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authentication of inside users ASA (EasyVPN)

Greetings All

Authentication of users behind ASA 5505 connected to VPN3000 Concentrator with EasyVPN

According to the law in a certain country, we need to log the following:

Time & Datestamp

Username/ip address of the pc inside

Which sites they have visited (ip's, URL's etc..)

Eg. 11/4-2008 domain\john ip 192.168.2.23 visited ip 212.232.232.21/80

I would like to achieve this with using the ASA 5505 and my Cisco ACS 4.1 on my LAN behind the VPN3000 Concentrator.

Im trying to setup forced authentication for the users on the inside interface (lan) of the ASA5505. I need to force them to authenticate before they will be able to get any access outside their lan.

I have read on the forum, and tried som different solutions, but not been able to get any solution to work with all the needed info and also to work in conjunction with EasyVPN (Network Extension-Mode).

I tried with cut-thru proxy solution from the guide here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

It does not work, because the include/exclude statements is not allowed in conjunction with EasyVPN.

Error: WARNING: <_vpnc_nwp_acl> found duplicate element

WARNING: <_vpnc_nwp_acl> found duplicate element

Hybrid configurations using 'match' and 'include|exclude' are not supported

I have then looked at enabling "Individual User Authentication (IUA)", but since Im using split-tunneling, it seemes like its only for the

tunnelled networks authentication is enforced. And I dont want to tunnell all- hence the repsone-times to the remote site is very high.

Last I tried to make som HTTP redirect with aaa authentication listener http[s] interface_name [port portnum] [redirect], but thats also not

allowed in conjunction with EasyVPN.

Error:

* Remove 'aaa authentication listener' configuration

CONFIG CONFLICT: Configuration that would prevent successful Cisco Easy VPN Remote

operation has been detected, and is listed above. Please resolve the

above configuration conflict(s) and re-enable.

The ASA is currently running IOS 7.2(4), but there's no problem in upgrading it to 8.0(4) if that could help me make a solution.

Is it possible to make this work somehow ?

/Claus

1 REPLY
New Member

Re: Authentication of inside users ASA (EasyVPN)

Hello Claus,

Have you tried downloadable access lists in combination with the ACS for the authentication? You can then use the accounting options of that downloadable access list to register who has done what.

You can do this in combination with the virtual http listener or the virtual telnet listener.

Check out: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwaaa.html

Hope this helps

Regards

P-J Nefkens

234
Views
0
Helpful
1
Replies