Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
327
Views
0
Helpful
1
Replies

ASA 5520 (8.0) VPN Groups and Radius (IAS)

derrickc
Level 1
Level 1

‎03-13-2009 08:37 PM

I've got an ASA 5520 8.0(3) setup with two RA VPN groups - a "normal" user vpn group and an "Admin" user vpn group. With the Cisco VPN client, it's fairly easy to ensure only admin folks get the Admin PCF file. However, I recently setup SSL VPN as well (using the same groups). I've set the SSL URLs such that a user going to https://site.company.com goes to the normal user vpn...and a user going to https://site.company.com/Admin uses the Admin profile. This all works, but there is nothing stopping a regular user from hitting the /Admin site if they somehow learn about it. I want to make sure that the /Admin tunnel can only be accessed by users in a specific AD group. Currently, to connect to the vpn, all users (normal and admin) have to be a member of the "VPN Users" group. How can I permit/deny access to a certain tunnel group based on AD group with Radius (IAS Win 2003)?

Labels:
0 Helpful
1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

‎03-14-2009 01:59 PM

You may need to explore a bit and look into this feature Dynamic Access Policies which seems it may fit your requirements, provided you are using LDAP/AD/RADIUS for your vpn groups.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml#intro

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents