Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
5
Helpful
1
Replies

IP Based Authentication for Clientless SSL

eastviewit
Level 1
Level 1

‎09-30-2010 12:14 PM - edited ‎02-21-2020 04:53 PM

Let me just start off by saying: Yes, I know this is inherently insecure.

That being said, can an ASA appliance be coerced into opening up a clientless SSL connection based solely on source IP?


A related question is whether or not the ASA can forward a username\password to a destination server without the user entering it at the ASA?


Here's the situation: I need to set up a way for a client to be able to come to the ASA and, based on source IP, be forwarded to a Virtual Desktop Interface. I know that piece is easy but I need to attach credentials that Windows Active Directory will accept.


Any help solving this is greatly appreciated!


TIA,

Ben

Labels:
0 Helpful
1 Reply 1

Atri Basu
Cisco Employee
Cisco Employee

‎10-05-2010 05:03 AM

1. An ASA cannot use the source IP address directly for authentication, however using either DAP or NAC you can control which tunnel group a particular client will connect to based on the source IP address. For more information regarding DAP, please refer to the following link:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html

and

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml#t6

You could also try using Digital certificates. If the certificate contains the source IP address in the CN then it will use the IP address to authenticate the client. For more information on using digital certificates for authentication you can refer to the following link:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/webvpn.html#wp999737

2. Regarding your second question,  I think what you are looking for is the Single Sign On feature. Please go through the following link, it details what SSO can be used for and how to configure it:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/webvpn.html#wp1003053

Customers Also Viewed These Support Documents