Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to restrict SSLVPN / WebVPN access to specific users?

Hi all,

The subject says it all really...  We have an established IPSEC VPN service running on ASA 5540s with several thousand regular users.

I am in the process of trialling WebVPN but I don't want just anyone to be able to connect to it.  I'd like to provide the ASA with a list of usernames that are permitted access to the WebVPN service during the piloting stage.

User authentication is handled by Cisco Secure ACS, which backs off to RSA SecureID, and valid users have a SecurID Token.

I don't believe having the user restriction on the ACS is the way forward as using Permitted Calling Points is the only way I can think of to do this, which would prevent all users from dialling in over IPSEC.

Can anyone advise how I can lock access to WebVPN down to a list of users WITHOUT simultaneously affecting access via IPSEC?

Many thanks in advance,

Nick

Everyone's tags (5)
4 REPLIES

Re: How to restrict SSLVPN / WebVPN access to specific users?

Hi,

During the test phase, you can configure SSL VPN on the ASA to authenticate locally for example.

Users that want to connect via SSL (either client-less or client-based) will be prompted for local authentication. You define a local database on the ASA of valid users.

The IPsec clients and the SSL clients can be configured to use different group-policies and the group-policy for SSL will have a local authentication option.

This is not the ideal scenario, but you can have just a few users testing SSL while you decide to have the SSL clients authenticate against the ACS and RSA servers.

Federico.

New Member

Re: How to restrict SSLVPN / WebVPN access to specific users?

Hi Federico,

Many thanks for taking the time to respond :-)

Using local auth was one of the things I'd considered, however our security policy prevents me from using this unfortunately.  I was wondering about the possibility of using DAP?

Unfortunatly the Cisco documentation on the use of DAP is a clear as ever - i.e. about as clear as mud!

Do you or anyone know of a decent document explaining how to implement DAP, or know enough to be able to explain it a little better?

Many Thanks,

Nick

New Member

Re: How to restrict SSLVPN / WebVPN access to specific users?

Nick,

Is the ASA talking directly to ACS with radius or tacacs? Your ACS server can provide attribute 25 with the right group policy (tunnel policy). Only the right users that are a member of the group can do a succesfully login.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

regards,

Sander

New Member

Re: How to restrict SSLVPN / WebVPN access to specific users?

Hi Sander,

We use TACACS+ for Admin Authentication (SSH & ASDM) and RADIUS for user access.

That is a great looking document - I will have a read, thank you.

We were looking for something like this a few years ago when we were originally setting up our RA solution, and came up completely empty!

Nick

1740
Views
0
Helpful
4
Replies
CreatePlease to create content