Solved: Re: NAC VPN SSO Help

t805986 · ‎11-10-2011

I have recently inherited the administration of a NAC solution that is in need of a tune up (currently running 4.1.8!!). The biggest compliant I get from users is that VPN SSO does not work and that users must open a web browser to authenticate to NAC once their SSL VPN has been established. I'm quite familiar with how to configure VPN SSO and I'm ready to do so, however I can't find the answer to one specific question I have. Can you enable VPN SSO for a select types of users only? We have a combination of both employees (who have the agent) and contractors (who don't have the agent). I only want VPN SSO to work for employees and I want contractors to have to open a web browser to authenticate. Is this possible and if so how? I have found that if you don't have the agent and VPN SSO is enabled the login is very awkward. You open a browser, you get redirected to NAC and then you get logged in once java or active x runs without having to provide your credentials and then you don't get redirected back to your orginal http request.

Thanks!

Tarik Admani · ‎11-11-2011

For your employees you can use the class attribute to map them to a user role within NAC under the Cisco VPN auth provider mapping criteria. You can also map the contractors class attribute to the uanauthenticate role so when the pull up their browser they will see the authenticaiton page. Once they authenticate then in their user role you can select the redirection page.

Hope this helps.

Tarik Admani

View solution in original post

Tarik Admani · ‎11-11-2011

For your employees you can use the class attribute to map them to a user role within NAC under the Cisco VPN auth provider mapping criteria. You can also map the contractors class attribute to the uanauthenticate role so when the pull up their browser they will see the authenticaiton page. Once they authenticate then in their user role you can select the redirection page.

Hope this helps.

Tarik Admani

t805986 · ‎11-12-2011

That works. Thank you!

dgoodenberger · ‎11-16-2011

What does the class attribute correspond to with VPN SSO that is matched against? (E.g., the VPN group name, etc.?)

I would like to do something similar with VPN SSO, but map users to roles based on their VPN pool IP address. How would this be accomplished?

t805986 · ‎11-17-2011

You really have two options. My VPN SSO mapping rules match radius attribute 25, which is the name of the VPN group policy the user belongs to. When the ASA sends the accounting message to the NAC to indicate a new user has logged in, it includes radius attribute 25.

The other option is to just match based on "Framed IP Address". EIther one should work.

dgoodenberger · ‎11-17-2011

Thanks for the reply. I tried attribute 25, but it wasn't working. When I enabled "debug radius decode" on the ASA (v 8.2.4) I can see that this attribute is not in the RADIUS accounting packet sent to the CAS (v 4.8.2).

I'm working with "Framed IP Address" (attribute 8) which is being sent, but the matching is not very elegant for what I want to do. Since I cannot match using CIDR or a range, it seems I have to write multiple mapping rules and use e.g, "starts with" matching.

dgoodenberger · ‎11-17-2011

Ended up with the following matching based on Framed IP Address, which mostly does what I want:

(0,8 contains 192.168.47) maps to Role1

(NOT (0,8 contains 192.168.47)) maps to Role2

The second express was key, since I have a fairly large range of VPN pool IPs for that Role, and the negation saved me from having to write a bunch of rules for different segments of the IP ranges.

The only downside was that the pool I was going to use for Role1 was smaller than a /24, but I didn't see a way to easily match that, so I just increased the pool size to facilitate matching.

Enhancement request for Cisco: please add more flexible matching, e.g., regex, to NAC role mapping!