Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
5
Helpful
1
Replies

How would you deal with this in the ASA?

John Blakley
VIP Alumni
VIP Alumni

‎04-10-2009 10:00 AM - edited ‎03-11-2019 08:17 AM

I have configured ssl vpns using anyconnect on my ASA 5520. I've run into a snag, and I'm not sure the best way to deal with it.

We authenticate vpns through radius. The webvpn is doing the same, but the problem comes in when I'll need to give access to outside vendors. Not every vendor gets access to the same thing. One vendor may need access to 5 servers, another may need access to 5 different ones, etc. I *think* I need to lock these users in a group, but I'm not sure the best way to go about this since I won't be using local accounts.

The tunnel-group is specified to authenticate against the radius server, and it works well, but there's no way for me to say "This AD user gets access to this group, and this one gets access to this other tunnel-group."

Are any of you doing this same type of thing at the moment? I've locked users in groups before on a VPN concentrator, but it was one group. There's going to be many, many people with different needs in this scenario.

Thanks,

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

‎04-16-2009 09:56 AM

Hi John,

You might be able to accomplish it though Dynamic Access Policies - works with LDAP/AD.., personally have not used it yet so this is an educated responce..from what I have read sounds like it might provide you the results for your requirement.

have a look on these two links

See DAP section mid page down

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html

DAP deployment in general

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Regards

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card