Cisco VPN :: 5510 - Separate RADIUS Profiles For SSLVPN Group
Sep 11, 2012
We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
1. Employees and clients will access the URL
2. They will select the appropriate group on where they should login.
3. Enter credentials, etc.
4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.
I'm on an ASA 5510 running 8.2(5)41. I have clientless WebVPN configured to authenticate against an RSA RADIUS server, which has users assigned to RADIUS Class attribute 25 to match the group-lock values assigned to each ASA group-policy. This of course is to ensure users can only access the login page's drop-down VPN profiles they are assigned to by the RADIUS server. I have two other ASA 5510s (same code level) using the same RADIUS server with group-lock enabled but for IPSec remote access VPN's, and the group-lock feature works fine.
WebVPN, however, is authenticating any user to any VPN profile without regard to the RADIUS Class attribute 25 they are assigned. If I configure the VPN profiles to authenticate locally and assign group-lock to individual ASA user accounts, group-lock works. As soon as I point it back to the RADIUS server, group-lock does nothing. From the 'debug aaa' below for user 'corpvpnstp', you can see the RADIUS server sends back the attribute 25 values of "ou=stp.Client;" and "ou=stp.ClientDRC;" for this user. The ASA profile this user has attempted to connect to is "EMS-Admin", which should get denied by the ASA. Instead, the ASA successfully authenticates the user.
We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?
In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.
We have an ASA5510 with AnyConnect SSLVPN set up, which works great from remote locations. However, when I am inside the network, I cannot connect to this SSLVPN. I would like to be able to this for testing purposes; I have a VLAN10 that has ACLs so it cannot reach any private IP addresses, we use this VLAN for our guest Wifi network. I would like to be able to make AnyConnect SSLVPN connections from this VLAN, to test the VPN access without having to be at a remote site. However, since I don't want to change any settings compared to my remote site, I don't want to just bind the sslvpn to both outside and VLAN10 (by issuing the enable VLAN10 statement). [code]
Is there a way that i can associate one user with two VPN profiles. Now here is the scenario.Our company has bought a win 7 64 bit pc for some of the employees , so i had to create anyconnect. But the same users are also connecting via normal cisco vpn client. they will give away these old pc but for the time being my need is that both users shall connect to anyconnect profile and ipsec profile.
I tried ti to assign same profile with both ipsec and svc so that they could use single profile but anyconnect didn't work. I am having cisco ASA 5510 as VPN gateway.And How many licenses does cisco asa have by default for anyconnect users. Here is the configuration for anyconnect
group-policy Broad_Anyconnet internalgroup-policy Broad_Anyconnet attributes dns-server value 4.2.2.2 vpn-tunnel-protocol svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value Nit_Broadcast_Network_Tunn_ACL address-pools value Broadcast_AnyPool webvpn svc ask none default svc [Code]...
I'm looking for some input on RRM. I personally have NOT used it in a LONG TIME, since probably the 4.0 days and then very shortly due to massive issues it was causing and admittedly, in part due to my ignorance at the time. So, every since that point, I have always set all my channels and power manually but now feel I am getting to some points where RRM may be required / beneficial. So, I've invested some time and have begun researching and trying to get the ends and outs on it but I'm forseeing a potential issue in myworld anyways and am hoping for some clarification. Lets take the below example:
-WLC5508a and b - (2 100ap license controllers) - these hold the majority of the AP's for the main hospital.Lets say, 140AP's.
-WLC5508c and d - (1 100ap and 1 50ap licensed controllers) - These tend to hold our smaller sites and and buildings, not all connected and some a few miles from each other
-WLC4402a and b - (failover ready)
So, with RRM, I can set setting it up on the 5508A/B with out issue as this is one big large building. However,what about C and D? I suppose I can make them a separate RF Group, but how would RRM respond when it has16 AP's in Building X and then 3 AP's in Building Y 30 AP's in Building Z and sporadic buildings with 1's and 2's? Everything I've read so far, leads me to believe if these devices are separated it probably won't be an issue, however, I just don't want something causing a change in Building Z and Building X be affected because RRM decided it would try to fix it. My point is, I can't afford to have a separate RF Group (meaning separate controllers) for every location.
I use a Cisco ASA 5510 with the AnyConnect VPN for remote workers. Now we want to give access to a select group of consultants who only need access to one sever and block everything else.
I was thinking this could be done by creating a separate AnyConnect Connection Profile on the ASA. From that new connection will come a new GroupPolicy with a ACL to only allow access to the one system. That GroupPolicy will point to the Radius Server looking for an account in a specific MemberOf group.
My question is - Could you explain how the ASA knows what Connection Profile to use when a user tries to authenticate? Does it automatically hunt down each Connection Profile until there is a username match via RADIUS in the Connect Profile?
I'm in a house on a network that has 2 Macbooks, 4 notebooks running either Windows Vista or Windows 7, and 3 desktops running either Windows Vista or Windows XP. (Sidenote: No, they're not all accessing the network at the same time; actually some of them are hardly ever even turned on but it's important to include them because of the questions to follow.) Out of all those machines, one desktop running XP and one notebook running Vista are mine.Now, my family's pretty private, so we have file sharing turned off on all the computers. The problem is it's really a pain to have to transfer files between my laptop and my desktop, which I do fairly often because some of my schoolwork is done on the desktop (bigger screen), while some is done on my laptop (portability), and I also have a partition on the desktop's hard drive specifically for backing up files. When I want to transfer files, whether it's one file or 10,000 files (which I had to do the other day, actually), I either have to:
a) e-mail the file to myself if it's not too large and open it on the other machine
b)use my flash drive to transfer files
c) use a usb transfer cable, start the software, log in to the connection, etc etc.
simply create a new Workgroup on the network with just my 2 machines in it, so I can put all the files I want to share/move between them on the network instead of manually transferring them. I've already taken care of that step (creating the Workgroup, that is), so for the sake of not being confusing, I'll call my network "Network" and my workgroup "Mygroup" and whatever workgroups the other computers might be in "Theirgroups". Now that I've figured out that it's possible for Mygroup and Theirgroups to co-exist on Network, what about the actual file sharing? If I set up file sharing will only the 2 computers in Mygroup have access to them, or will the computers in Theirgroups have access as well since we're all on the same network? If the computers on Theirgroups will have access as well, is there any way I can make it so that only Mygroup will have access?
We have 2 ASA 5510's running in a Active/Standby configuration. It appears that most of the changes we make on the active unit are replicated to the standby unit. However, there are 3 AnyConnect Client Profiles on the active unit and none of them show up on the standby, the standby has no AnyConnect Profiles. We also have 1 OnConnect script on the active unit and it does not appear on the standby unit either.
I was under the assumption that all config items on the active unit would replicate to the standby. Is this not correct? Do I need to do something extra to get everything replicated? Are there other items that do not replicate?
I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes, IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
I try to let Cisco ASA automatic select a tunnel group for users, after user input username and password. I try to do this without user selection a connection profile on login page. Authentication on ASA<>ACS 5.3<>MS AD. How i can will do this? Radius attribute class=group_policy don't work.
Basically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax?
In the WLC there are two groups (say A and B). How would I take group B and point it to a RADIUS server for authentication? The server is ping reachable. I have searched but did not see any definitive answer.
is it possible to have the ASA connected to two ISP's and use the one ISP connection for Client/S2S VPN and Internet Access and the second ISP connection just for the WebVPN Traffic? How would you manage the Routing, as the default route is pointing to the first connection or is that not an issue here?
I'm setting up two separate 5510's at two seperate locations. The client wants two seperate SSL-VPN's; one for the HQ and one for the COLO location. They have a single domain for which I have added a-records to point to the corrosponding ASA's thusly: [code]
My questions is this: do i need to buy seperate certificates for each ASA/fqdn/IP combo? I'm using godaddy to buy the certs. If I do need to buy seperate certs, that makes the installation easier, but may waste $$. If I only need to buy one cert, how do I set it up so that both combo's are verified?
I have ASA5510 with PLUSE License.I have 2 Inside interfaces as STAFF and MAIL and two Outside interface OUT_STAFF and OUT_MAIL which is in separate ISP's.now i want to nat STAFF to OUT_STAFF and MAIL to OUT_MAILbecause I'm having two default routes it gets impossible to do.
The Voip pbx resides on a seperate lan, not connected to the ASA. Users from behind the ASA (inside) try to connect to the VOIP pbx using a soft phone. The Voip connection is established, however users cannot here conversations on either end.Im assuming this is possibly a Sip and Pat issue? The ASA firewall is using a seperate Global IP for PAT. Also I have opened ports on the outside interface for SIP udp 8081, 2088,16000-16010 and 15000-15511. I have both SIP and H323 h225 inspection in place as well.
We have an ASA 5510 and we also have two separate address pools which have been provided by our ISP. The addresses are not contiguous. Is there a way to configure an interface on the ASA to handle both sets of public address pools? If the outside interface is set up on eth0/0 would I create two subinterfaces (eth0/0.1, eth0/0.2) and assign each subinterface an address pool? Then just NAT/PAT to my heart's content? At that point I would want both to route to our inside network. So it's basically two inbound sets of IP addresses comming into one interface and then comming into the network... Right now the outside interface is configured with our first set of IP addresses. We wanted additional addresses and when we called our ISP they told us we already had them - just a different pool. Hence the question. I'm guessing that I wouldn't put anything specific on the outside interface and I would put the specifics on the subinterfaces?
Due to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2 crypto isakmp enable ISP_1crypto isakmp enable ISP_2 route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2 1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel. 2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3 It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
I have to configure failover Active/Standby on my ASA 5510.I am wondering how i could do for the outside interface, i mean, actually the ASA1 outside interface is linked directly to our Internet router.So now if i have to add ASA2 connecting to that router i will need a switch between them.I have already a switch for DMZ & LAN.The thing is that i will have to allow 3 switchs ports to communicate with each others.
- 1 for ASA1--outside - 1 for ASA2--outside - 1 for Internet router
How could i isolate these 3 ports to make them communicate alone ? Should i use VLAN for that ?And if i use VLAN, will this require to make any change of configuration on my firewalls (ASA1 & ASA2) outside interface ?I am a bit lost with this, if i am correct i will not have to do some "vlan tagging" on the firewall itself ?
I am doing the initial configuration on our ASA 5510 to use our Radius server just as our 3005 VPN Concentrator did. I can do the test connection inside the ASA with no problems, and when I authenticate using the Anyconnect client, it appears to authenticate fine, but then dumps the connection with an error stating there is not enough memory in he ASA to allow this connection, the error message is as follows:
Error Message %ASA-4-722004: Group group User user-name IP IP_address Error responding to SVC connect request. Explanation There is not enough memory to perform the action.
Recommended Action Purchase more memory, upgrade the device, or reduce the load on the device.
Can this really be the case with no connections active, a single user attempting to authenticate through Radius and an out-of-the-box ASA 5510?
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
I have configured ASA 5510 With IPsec Remote VPN.With local database users(Users are created in ASA).
Internal network has 4 VLANS. Need solution for below.
There are 25 Users created in ASA. where only 5 tp 6 users wants to grant access to Particualr IP and Subnets and rest of the users can access entire lan.
Is it possible to configure Group policy in ASA for IPsec Remote VPN.
Last time, i´ve implemented a Remote Access VPN to my network with ASA 5510 I´ve allowed to my VPN an acces to all my Internal LAn But i want to configure a group of vpn in the CLI for have different group of user which can access to different server or different network on my LAN.
Example : informatique group------access to 10.70.5.X Network Consultor group -------- access to 10.70.10.X Network
I need to know how can i do that , and if you can give me some eg script for complete this Here is my configuration :
ASA Version 8.0(2)!hostname ASA-Vidruldomain-name vidrul-ao.comenable password 8Ry2YjIyt7RRXU24 encryptednamesdns-guard!interface Ethernet0/0 nameif outside security-level 0 ip address X.X.X.X 255.255.255.X!interface Ethernet0/1 nameif inside security-level 100 ip address X.X.X.X 255.255.255.X!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 description Port_Device_Management nameif Management security-level 99 ip address X.X.X.X 255.255.255.X management-only!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNS domain-name vidrul-ao.comaccess-list 100 extended
I have a 5510 authenticating successfully with a RADIUS server. I'm using it for VPN authentication and it works great. I would also like to do this for administrator access to the ASA. When I turn it on though, any authentication for VPN access is also granted administrative access to the ASA. Obviously, I need to limit that to a select few users.
currently I'm evaluating an ACS 5.2.I need to authenticate the VPN-Users against LDAP, but have no direct connection from the ASA to the LDAP-Server. So the ASA should connect to the ACS to ask the LDAP-Identity-Store, OK.
My first Problem is: the ACS doesn't respond to the RADIUS-Requests of the ASA! ASA use's Port 1812, the Secret is ok, the ASA is as a Network Device in the ACS configured and I've created an internal Test-User on the ACS.the Firewall-Log shows the established connection (so I think, there is a Hand shake!? ), but the ASA says in Radius-Test: "EROR:Authentication-Server not responding".
I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements. The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs: object network REMOTE range 62.77.130.14 62.77.130.208.Both ASAs have the same image ver (asa842-k8). Is there something that I am missing to be able to enable the range option on the new ASA?