Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
0
Helpful
3
Replies

SSL VPN RADIUS AD Groups

nn7963
Level 1
Level 1

‎08-15-2012 06:22 AM - edited ‎03-11-2019 04:42 PM

We have an ASA 5520 configured with Premium SSL VPN licenses. We've configured clientless and client based SSL VPN access. The VPN users are authenticated against a 2008 AD domain via a 2008 MS Radius server. My question is "can the users belong to a client-based and clientless AD group"? If we put them in both AD groups only one works.

The ASA is running 8.3(2), but we will be upgrading to 8.4(4-1) soon.

We also have users in Admin AD groups who can do both clientless and client based VPN connections without even being in the client based or clientless AD groups. We haven't made any mapping of any admin groups from the ASA to RADIUS and then to AD. Is this normal?                  

Labels:
0 Helpful
3 Replies 3

nkarthikeyan
Level 7
Level 7

‎08-15-2012 09:54 AM

Hi,

Can you please share the configs of your ASA. Because i do feel you could have given full privelaged access for the admin in your AD server.

Please do rate if the given info helps.

By

Karthik

0 Helpful

nn7963
Level 1
Level 1
In response to nkarthikeyan

‎08-15-2012 11:50 AM

aaa-server RADIUS protocol radius
aaa-server RADIUS (LAN) host 10.20.1.4
key *****
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 1
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa

webvpn
enable CMS
svc image disk0:/anyconnect-win-3.0.5080-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-macosx-i386-3.0.5080-k9.pkg 2 regex "Intel Mac OS X"
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy VPN_Email_Only internal
group-policy VPN_Email_Only attributes
vpn-idle-timeout 30
vpn-tunnel-protocol webvpn
group-lock value CL_Email_Only_CxProf
webvpn
  url-list value Email_Only
  customization value Email_Only_Customization
group-policy VPN_Client_Based internal
group-policy VPN_Client_Based attributes
wins-server none
dns-server value 10.20.1.2 10.20.1.3
dhcp-network-scope 10.20.95.0
vpn-idle-timeout none
vpn-tunnel-protocol svc
group-lock value CB_Full_VPN_CxProf
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
default-domain value ***Deleted***.com
webvpn
  svc dtls enable
  svc mtu 1406
  svc keep-installer installed
  svc keepalive 20
  svc compression none
  svc modules none
  customization value Client_Based_Customization
  url-entry disable
  svc df-bit-ignore disable
  always-on-vpn profile-setting
group-policy VPNUsers internal
group-policy VPNUsers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol webvpn
group-lock value CL_Full_VPN_CxProf
webvpn
  url-list value Full_VPN
  customization value Clientless_Customization
username inghrjt password ***Deleted*** encrypted privilege 0
tunnel-group CL_Full_VPN_CxProf type remote-access
tunnel-group CL_Full_VPN_CxProf general-attributes
authentication-server-group RADIUS
default-group-policy VPNUsers
dhcp-server 10.20.1.4
password-management
tunnel-group CL_Full_VPN_CxProf webvpn-attributes
customization Clientless_Customization
group-alias Clientless enable
group-url https://***Deleted***/CL enable
group-url https://***Deleted***/cl enable
group-url https://***Deleted***/CL enable
group-url https://***Deleted***/cl enable
tunnel-group CL_Email_Only_CxProf type remote-access
tunnel-group CL_Email_Only_CxProf general-attributes
authentication-server-group RADIUS
default-group-policy VPN_Email_Only
dhcp-server 10.20.1.4
password-management
tunnel-group CL_Email_Only_CxProf webvpn-attributes
customization Email_Only_Customization
group-alias Email enable
group-url https://***Deleted***/EMAIL enable
group-url https://***Deleted***/email enable
group-url https://***Deleted***/EMAIL enable
group-url https://***Deleted***/email enable
tunnel-group CB_Full_VPN_CxProf type remote-access
tunnel-group CB_Full_VPN_CxProf general-attributes
authentication-server-group RADIUS
default-group-policy VPN_Client_Based
dhcp-server 10.20.1.4
password-management
tunnel-group CB_Full_VPN_CxProf webvpn-attributes
group-alias Client enable
group-url https://***Deleted***/CB enable
group-url https://***Deleted***/cb enable
group-url https://***Deleted***/CB enable
group-url https://***Deleted***/cb enable

0 Helpful

nn7963
Level 1
Level 1
In response to nn7963

‎08-21-2012 07:26 AM

Any thoughts on why the admin AD users can connect to client and clientless without being in the client and/or clientless AD groups with specific VPN permission?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card