Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restrict access for non-domain users on a CISCO ASA

Hello all,

Do you know if there is a way to deny trafic through a CISCO ASA for all non-domain users?

Or do we have to use a NAC system ? (and, if yes, what kind of NAC system?)

Many thanks

regards,

  • Firewalling
5 REPLIES
Cisco Employee

Re: Restrict access for non-domain users on a CISCO ASA

NAC is a way to go http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html.

You can also use ACS to authenticate users before going through the ASA. You can also integrate ACS with your Active Directory.

Not very trivial tasks but the technology is there to support them.

PK

New Member

Re: Restrict access for non-domain users on a CISCO ASA

Hello,

ACS seems to be a good way. However, I can't find any information about authenticating trafic users on ASA with ACS. I only saw documentation on how secure access on the firewall with ACS, but nothing about authenticating users when they are trying to pass through the FW.

Can someone help me by providing me some URL about it?

Many thanks

Cisco Employee

Re: Restrict access for non-domain users on a CISCO ASA

If you are trying to do this for VPN connections into your ASA:

-you can deny the non-domain users from logging in with ldap attribute maps or dap

-you can also restrict access with a vpn-filter acl or webvpn type acl applied in the group policy

New Member

Re: Restrict access for non-domain users on a CISCO ASA

Hello hdashnau,

It's not for VPN connections but for all trafic from one local zone to another.

I'm still looking for a way to do that, with ACS or NAC, but i can't find any documentation on it.

Did someone already face this issue?

Many thanks,

Regards

Cisco Employee

Re: Restrict access for non-domain users on a CISCO ASA

Hi K,

have a look at "cut-through proxy" aka "AAA for network access" :

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html

hth

H

244
Views
0
Helpful
5
Replies