Cisco VPN :: ASA 5520 / Restricting End User To One Specific Group With AnyConnect?
Feb 6, 2013
I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication. I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account. How do I restrict this so that the user can only use one profile? Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks. Is there a sample configuration guide to handle multiple profiles with different levels of access?
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.)
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
Need assistance understanding how in ASDM/Configuration/Site-to-Site VPN/Connection Profiles/ "Any Entry" I can specify that I only want to offer an IKE Proposal of pre-share-aes-256-sha?
The IKE Proposal field has a number of possible options including: pre-share-aes-256-md5, pre-share-3des-md5, pre-share-aes-256-sha, pre-share-aes-192-sha, pre-share-3des-md5, pre-share-aes-sha and pre-share-3des-sha.
I am able to pick a specific IPSec Proposal w/o issue but when I attempt to do the same for the IKE Proposal, and click OK the choice does not "stick" but rather returns to the entire list as defined above.
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
I can't seem to find any documentation to how to get this working. I'm trying to make it so that only users of a certain AD group are authenticated for my Anyconnect VPN on my ASA 8.2.2
I've found the documentation on how to prevent logins using the msNPAllowDialin attribute, but not how to base it on group membership (memberOf) [code] I need to do any kind of restrictions inside the actual group-policy TESTGROUP ?
when it comes to IOS based SSL VPN setup, so have run into an issue which I can't seem to find an answer for.
What i'm after is a way to restrict access to an AnyConnect authenticated and connected client, on a specific profile, to a list of specific websites (all on the Intranet). Everything else must be blocked.
On the IOS device, I had it fudged to pretty much retstrict access to a certain IP and port, and used a mod rewrite in Apache to re-write a URL from that IP to the host the site actually resided on. It's cludged together and working, but it's not ideal (and it's not going to allow for scaling up to what I need).
I can find plenty of references here and on the net to using regex to create block lists based on a global policy to disallow specific URLS, but I need the inverse of that, and, only applied to a specific policy group.
Is this possible on an ASA5505? Is it possible on *any* ASA?
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
I'am a novice with LMS 4.0.I create 4 device group in Group Management, I restarted my server and since this reboot, I haven't any device in my groups. I would like to use the archive synchronization but I can't see my device in my groups.
Profile in atthach-file. After this profile is uploaded to client Optimal Gateway Selection doesn't work propertly: When 'vpn1.mydomain.com/mygroup' (it best TTL server) is unreachable, then OGS try to be connected to other servers, but without group-url, for example 'vpn2.mydomain.com' (instead of 'vpn2.mydomain.com/mygroup')
We are using ACS 126.96.36.199 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL]
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
I need to block the multimedia streaming to a certain group of users accessing my wireless connection.I'm using squid as my proxy server and the users are registered on a LDAP database. A RADIUS server provides authentication.
having LMS 4.0.1 is it possible to authenticate user on a group base and assign different privilege to different groups?. The user's group are available in the LDAP server.Do I have to use a TACACS/RADIUS server between the Ciscoworks LMS and the LDAP repository?
This question might actually belong under tacacs server but it's only happening with the ACE. I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor. If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin. We're running ACS ver 4.1 and the ACE is A4(1.1)
We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS.I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :
- AD logs show the second authentication doesn't engage a new group parsing from AD - Shutting down the switch port when user is logged engage a new authentication a AD group are well updated. - Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group. 2) Add the AAA server to this group (here its RADIUS). 3) create an LDAP-cisco ASA group mapping (for authorization) 3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here). 4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
I recently upgraded to Windows 7 in my company and the OS came bundled with Anyconnect VPN client version 2.5.
In the earlier version I used to add user profile using a .pcf file by importing it into the client to access customer LAN.
But in the Anyconnect VPN client I dint find any option to import the file. The IT support has told to edit the xml file to add it. The problem is I even after i edit the anyconnect-cert.xml with changes in host name and host address tags I am not able to start a connection. I dont knw know exactly what address must be given in Host address tag. I copied the host address from .pcf file which i used earlier.
Whether I will be able to add a user profile in this way or any correction is to be done in the whole process of adding the user profile,
I have a Cisco ASA 5505 that I've setup with an SSL VPN. This is for personal use, and I therefore don't have need for anything more than local authentication. [code]
I'd like to have one profile/policy where I only encrypt data going to my split-tunnel ACL, and I'd like to have one profile/policy where I encrypt all traffic.
The issue ive been fighting is - it doesn't seem like its possible to associate more than one group policy per user. If it IS possible - can you tell me how I associate both groups to my local account?
I just configure VPN for end users in PIX515e with IOS 8 and get stuck with "Tunnel Rejected: User (msveden) not member of group (VPN-shared), group-lock check failed.". tell me how I add user to my VPN group?
We want to set up a wireless user group in our town between a few friends and new people who are interested to join. As far as I heard I don't need a ICASA License for the 5.8GHz Frequency if we are using it for a non profit orginization, so we may use that.
1 x Routerboard 3 x Radio Plugin Boards 3 x 120degree Antennas
to set up a 360degree HS (Highsite).Then at each person's house we will need:
1 x Routerboard 1 x Radio Plugin Board 1 x Whichever Antenna
Is that correct? Then also if we wanto run VoIP on our network, how do I do that? Basicly we want to use it for gaming, file sharing and VoIP. No Internet of anything else.
I am trying to find a tool that will monitor the web traffic for one specific user. If it is capable of bundling it into a report that would also be a benefit. I have searched, but not come up with much aside from broad network monitoring tools. All that is really needed is to capture all the activity from http traffic for this one specific user/PC (since she uses the same PC all the time). We have a Sonicwall NSA 2400 as our internet filter, but I was not able to locate anything on there for specific user reporting.
Prior to version 8.4(1) Cisco called their licensing name for SSL/VPN users AnyConnect Premium SSL VPN and currently the new name of the licensing is simply AnyConnect Premium. Also, the IOS display name for the amount of SSL/VPN users enabled via your licensing (ex. 2, 10, 25, 50, ...) by running a 'show activation-key' was changed from SSL VPN Peers to AnyConnect Premium Peers.With that said, my question is if the license for upgrading 10 users to 25 users (L-ASA-SSL-10-25= - ASA 5500 SSL VPN 10 to 25 Premium User Upgrade License) on an ASA prior to 8.4(1) and an ASA with 8.4(1) is still valid and the correct part number to peform these upgrades for both ASAs. The description of this part number is throwing me off because it says SSL VPN to Premium User, which was the name prior to 8.4(1). I could not locate any documentation regarding this part number or upgrading 10 users to 25 users for both ASAs.
I am trying to setup a VPN with AnyConnect on my ASA5510 and it works fine. I have setup an AAA server group for my Active Directory with the "NT Domain" protocol". Right now, every user is able to connect with their Active Directory credentials. I would like to restrict access to the Anyconnect VPN to only a few users in AD.