I'm in the process of evaluating SSL VPN AnyConnect 2.5 client, with ASA 8.3(1), for deployment consideration. I am also using ASDM 6.3(1) for configuration of the ASA. Currently, I am leveraging Microsoft Certificate Services & cert-based authentication to authenticate Windows XP clients, rather than using a password-based login via RADIUS or LDAP. The reason behind this is not necessarily for security purposes, but rather it allows the client to establish a VPN connection without user interaction (ease of use), if using automatic log-on.
Given that, I would also like to be able to establish separate policies for different user groups (i.e. setup specific access control for users in the IT dept, as opposed to users from the records department). Previously, I’ve been able to accomplish this using Dynamic Access Policies. However, since I’m testing with cert-based authentication, and most DAP configuration relys on user attributes from either RADIUS or LDAP, I have seemed to have lost my ability to establish any DAPs.
So, my question is, is it possible to use DAP using certificate-based authentication, and if so, how do I accomplish this?
If not, is there a way to configure AnyConnect to leverage Windows login as a “single sign-on”, if using a user/password based authentication via LDAP or RADIUS, so the end-user does not have to enter their credentials twice to establish a VPN connection?
well since the only thing the ASA knows about the user is his certificate, the only separation you can make will be based on elements of the cert. In other words, is there something different in the certs of the IT dept users compared to the certs of the Records users?
CN=John Doe, O=IT, ...
CN=Jane Doe, O=Records, ...
then you can do certificate group mapping, i.e. have different Organisations (in this example) land on different tunnel-groups. No need for DAP then.
crypto ca certificate map mymap 1 subject-name attr o eq IT crypto ca certificate map mymap 2 subject-name attr o eq Records
Another option is to do cert authenticaiton with radius or ldap authorization. There is a "username-from-cert" feature that allows you to define how the ASA can extract a username from the certificate (e.g. you can tell it that the CN is the username, or some other field). Then it can use that username to do an authorization request to a Radius or LDAP server.
Note that when using radius authorization (without authentication), your radius server has to have an account for each user with the password set to the username (default), or with a common password for all users (if you configure radius-common-pw in the aaa-server config)
For your first scenario, keying in on information in the cert to distinguish different tunnel groups, I don't believe there's anything in our org's cert that could distinguish different groups (verifying with our security on this).
That said, your second scenario intriques me, and at least at first glance, appears to be the more appropraite answer for my scenario. However, I'm finding very little infromation on how to accomplish this from a configuration stanndpoint, particularly tying this in with DAP. I don't suppose you can supply an example, or refer to an on-line doc that shows this? BTW, my preference is using LDAP.
From there on, the possibilities are endless. A common way to apply different policies to different groups would be to create group-policies locally on the ASA, and define an ldap attribute-map to map the LDAP group a user is in, to a group-policy:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...