I'm still realatively new to CISCO and have searched the question archives for similiar answers. Then again perhaps I'm not using the right search criteria.
I have a ASA5510 and so far primarily use the ASDM as I'm still very much a novice yet at using the CLI.
I've set up remote VPN access for external users and it's working good ...
What I'd still like to do is have ...
Some (sysadmin) remote users be able to access to all the IPs on the internal network while most of the users (departmental managers) only need access to about 10 IPs.
Is there a "cookbook" method to go about accomplishing this?
What you could do is create 2 different groups and sysadmin can login to the first group and access all the content. The users in the 2nd group can access the restricted resources which you can implement using split-tunneling on the ASA.
This is the only method i can think of for now.
If you use radius as an xauth for your remote vpn users, you can configure your radius server to send an ACL name to the PIX, which can be applied as additional filtering.
As an example, I have a few different VPN groups setup to define general access restrictions (users/admins/etc), as well as downloadable ACL's which get applied to each remote users VPN connection to further restrict areas based on the particular user (or group).
On my radius server (FreeRADIUS), this is configured with the variable Filter-Id, which references the name of an ACL on the PIX to apply to the remote user.
This document may be useful if you end up adding this extra level of filtering:
How did you go about configuring your freeradius server? Are you using linux version? I am trying to setup a 802.1x auth with freeradius on 2950 switch. Any help in configuring freeradius would be greatly appreciated.
Yes, I'm using the Linux version. It was a straight forward configuration. The only change was that I had to configure it to use the old radius and radaccounting ports (1645/1646 respectively) by editing the /etc/raddb/radiusd.conf file (search for "port =").
The port to use depends on which RFC Cisco is following for that device. The newer RFC's define the port as 1812, and I believe FreeRadius defaults to this port as well. If you're unsure, start up tcpdump and watch for the requests.
After you have your ports setup properly, it's just a matter of editing your /etc/raddb/clients.conf file to set it up properly with the right secret. Also, set your nastype to cisco.
I am not having any problems figuring that out it is figuring out how to setup the user credentials so that a user can authenticate the port.
Are you using the any kind of SQL for user accounts? What is your recommendation on user credentials?
No, I'm using local accounts on the server, but nothing to do with 802.1x.
Google shows quite a lot of hits concerning FreeRadius and 802.1x authentication. Two of the most likely candidates listed below:
setup two vpn groups, one for sysadmin, one for users.
create two pools of addresses, assign one pool to each vpngroup.
On the ACL inbound to the outside interface, add lines to restrict VPN traffic, e.g.
acl in_outside permit ip [sysadmin pool] any
acl in_outside permit ip [user pool] [selected IPs]
Finally, force all VPN traffic through the in_outside ACL by putting "no sysopt connect permit-ipsec" in the config.
Please refer to following config example: