Rick Mitchell Solutions - RMSBlog

With Rick Mitchell Solutions, you get the experience of over 10 years dealing with these very same problems you face every day. Large businesses that are in the Fortune 500 down to the small business with aspirations to become global can rely on us to understand and design solutions that fit your needs and your budget.

Thursday, February 18, 2010

Cisco ASA and AD integration to block specific users from VPN access

Most administrators realize the need for a centralized and single point of authentication for your network since you don't want separate credentials for every application. Active Directory provides a simple way for you to leverage the credentials that your users already use for a multitude of reasons, such as your VPN access. Cisco ASA's provide a simple way to integrate with AD or any other LDAP provider but unfortunately there is not a way to keep out certain users or groups with this method. You probably do not want to provide access to everyone in your company or every user for that matter to your VPN. There is not a simple click in order for this feature to be turned on and you must visit the CLI. You need to map the Deny or Allow dial in access in Active Directory to be something that the ASA can understand. This will provide a simple way to block VPN access to your network once you have this set up. Here is some sample config:

!--- The LDAP attribute map. msNPAllowDialin is
mapped to cVPN3000-IETF-Radius-Class
!--- A value of FALSE is mapped to a value of NOACCESS
!--- A value of TRUE is mapped to a value of ALLOWACCESS

ldap attribute-map CISCOMAP
map-name msNPAllowDialin cVPN3000-IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS


!--- AAA server configuration

aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP host 172.18.254.49
ldap-base-dn dc=rtpsecurity, dc=cisco, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=Administrator,CN=Users,DC=rtpsecurity,DC=cisco,DC=com
server-type microsoft
ldap-attribute-map CISCOMAP



!--- The NOACCESS group policy.
!--- vpn-simultaneous-logins is 0 to prevent access

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn
webvpn
svc required



!--- The ALLOWACCESS group policy

group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value This is the ALLOWACCESS Policy
vpn-tunnel-protocol IPSec webvpn
webvpn
svc required

!--- The tunnel group that users connect to

tunnel-group TESTWEBVPN type webvpn
tunnel-group TESTWEBVPN general-attributes
address-pool CISCOPOOL
authentication-server-group LDAPGROUP
tunnel-group TESTWEBVPN webvpn-attributes
group-alias TestWebVPN enable

posted by Rick Mitchell Solutions @ 2:08 PM  

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home