Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
0
Helpful
2
Replies

SSL VPN - not allowed user can access to vpn

Benjamin_
Level 1
Level 1

‎08-06-2013 06:26 AM

Hello,

I'm running on ASAv9 and anyconnect to provide SSL VPN tunnel. Each tunnel give access to a different network from the outside on an unique public IP adress.

Each network tunnel can be mount with a unique URL like https://aa.bb/tunnelA and https://aa.bb/tunnelB

My users are identifiying by an external Radius (user1@domainA.local)

Everything works great except one thing : One user restricted to acces at the tunnelA can mount the TunnelB if it know the url of the tunnelB (with userID defined for tunnelA).

exemple, on anyconnect client, user1@tunnelB.local can open the tunnelA on the url  https://aa.bb/tunnelA

This is a huge security risk.

I don't know how it's possible.

I've configured each tunnel like this :  [Edit] See attached file for config, cannot paste plain text code

Anyone can explain me how to link a userID to a tunnel url or wathever ?

Maybe it's my radius server who don't recieve or determine witch domain try to be accessed when url of tunnelA was send, and can't match the url domain and user domain.

Thanks for reading.

Labels:
15365378-config_forum.txt.zip
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎08-07-2013 02:21 AM

Have a look into group-lock  (it can be sent over RADIUS). Basically you can bind a particular user to a particular group.

M.

0 Helpful

Benjamin_
Level 1
Level 1
In response to Marcin Latosiewicz

‎08-08-2013 12:06 AM

Thanks a lot for your reply, I will try it and come back to give some news.

If I've understand, I do modify my group-policy attributes to add :

     group-lock value

And and add adress-pool ip_pool to my tunnel-group like :

     tunnel-group my_tunnel-group type remote-access

     tunnel-group my_tunnel-group type general-attribute

          adress-pool ip_pool  <<< correspond to the ip local pool ... of this tunnel

          authentication-server-group RADIUS_SRV

          authorization-server-group RADIUS_SRV

          default-group-policy my_group-policy <<< Where my group-lock value is defined

right ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents