Cisco VPN :: How To Lock VPN Users Into Certain Group-policy With ASA / ACS 8.2
Feb 10, 2011
I have a Cisco ASA (8.2) with several group-policies setup. By default, I can hit the SSL page, and have a selection of available group-policies for a user to login to. I want to have different ACLs for each group, to go along with the subnet that each particular group hands out. Right now, as long as a user is authenticated through AAA, they can log in to any group they select, and therefore, have more permissions than another group.
I know how to hide the list, but I need to be able to assign a specific group to a user based on an attribute in ACS.
I've setup ACS to use the "CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock" Atttribute, to which I match the group-policy name in the ASA, to the attribute on the user account in ACS.This doesn't seem to work, and it just throws the user into DfltGrpPlcy, which doesn't give the user anything. So it's either wide-open, or it's broken.
I'm using RADIUS authentication and not TACACS, so it should retrieve the attributes, and according to the ACS, it grabs the attribute during the authentication process.
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"? ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX AAA retrieved default group policy (GPnoAccess) for user = XXX
I'm on an ASA 5510 running 8.2(5)41. I have clientless WebVPN configured to authenticate against an RSA RADIUS server, which has users assigned to RADIUS Class attribute 25 to match the group-lock values assigned to each ASA group-policy. This of course is to ensure users can only access the login page's drop-down VPN profiles they are assigned to by the RADIUS server. I have two other ASA 5510s (same code level) using the same RADIUS server with group-lock enabled but for IPSec remote access VPN's, and the group-lock feature works fine.
WebVPN, however, is authenticating any user to any VPN profile without regard to the RADIUS Class attribute 25 they are assigned. If I configure the VPN profiles to authenticate locally and assign group-lock to individual ASA user accounts, group-lock works. As soon as I point it back to the RADIUS server, group-lock does nothing. From the 'debug aaa' below for user 'corpvpnstp', you can see the RADIUS server sends back the attribute 25 values of "ou=stp.Client;" and "ou=stp.ClientDRC;" for this user. The ASA profile this user has attempted to connect to is "EMS-Admin", which should get denied by the ASA. Instead, the ASA successfully authenticates the user.
One of our accounting administrators will be working in our server this weekend from his home remotely. He wanted to know if there was a way I could temporarily lock users from remoting in a few days to prevent them from messing up his work.The only way I could think of was disabling the accounts in Active Directory and then re-enabling them once he was done. Server is running Windows Server 2003 with the users remoting in via RDP. They all have accounts in Active Directory.
I'm trying to setup ACS 5.2 with an ASA v8.3.2 to lock users into VPN groups based on a users AD group. I've tried various combinations but the group lock isn't working. I've done steps 1 & 2 ...
1) Network Devices and AAA Clients -> Define VPN
2) Users and Identity Stores -> Setup AD and Directory Groups, test connection
Policy Elements:
Q1) Policy Elements - Do I need an authorization profile for each group:
Q2) What RADIUS attributes should I use to match my ASA tunnel-groups?
dell 3000 xl os 149gb I set up a home office. to try to transfer files to my new one.oce i found out you can't do it. there was a group policy in place.how do i get rid of it. it's interfering with a lot of stuff, including my firewall. had to buy another.
I have configured ASA 5510 With IPsec Remote VPN.With local database users(Users are created in ASA).
Internal network has 4 VLANS. Need solution for below.
There are 25 Users created in ASA. where only 5 tp 6 users wants to grant access to Particualr IP and Subnets and rest of the users can access entire lan.
Is it possible to configure Group policy in ASA for IPsec Remote VPN.
I have 4-5 machines connected to each other in network which are in workgroup. Now I want to change one group policy on remote machine. The name of that policy is " Network access: sharing and security model for the local accounts :- Guest only" . How can I change this policy from remotely?
Is it possible via Group Policy to prevent the domain computers from automatically creating default favorites when the users log in? Currently on the Favorites Bar it creates "Web Slice Gallery" and "Suggested Sites", as well as a "Websites for United Kingdom" folder. The domain controller is running Windows Server 2008 R2, and the clients are running Windows 7.
installing the Cisco NAC agent through the Active Directory Group Policy. (Windows 2008 R2)Currently Cisco NAC CAS servers has been installed, configured and the switches are added. But the ports are not active. Currently users are not passing through the NAC. When the ports are active and the users trying to access the network, the browser will ask the users to install the Cisco NAC Agent.I need t by pass this by installing the Cisco NAC agent through the active directory Group Policy. How to install the Cisco NAC agent (4.9.1) to all the users in the Network (Windows XP / 7 )through Active Directory so that the users will not know that the Cisco NAC agent has been installed in their computers. By this way the users need not install the Cisco NAC agent through the Web browser and will just login their user name and password and get into the network.
I am interested in knowing how to check on my 2003 Server what usernames are blocked from downloading. Many of the clients seemed to have downloaded Google Talk and also Spotify. I was wondering if I can check -where it is located and how to enforce this policy. (or create it if it isn't in effect correctly)
When you use Group Policy to determine whether a link is fast or slow, fast links may be incorrectly flagged as slow links.
This problem may occur when a network that you are trying to detect a slow link to is configured to control the size and flow of Internet Control Message Protocol (ICMP) packets. For example, if a router allows for only ICMP ping packets that have a size of 1,024 bytes, the slow-link detection feature may flag the connection as a slow link. This is because the router discards ICMP packets that are larger than 1,024 bytes. If the router discards the packet because it exceeds the allowed size, fast links may be reported as slow links.
According to Microsoft, the default ICMP ping packet size of 2048 is used.Microsoft recommends changing every single Windows machine's ICMP size...but my customer would rather just change the router. It is a 2821 router, running 12.4(24)T4, using MLPPP to bundle two T1s.
I'm running a Windows Server 2008 Enterprise Edition server that is currently the domain controller, and a Windows 7 Ultimate client. I have a 'Test' user for messing around with group policy - anyway, on the client Start Menu it has 'Test User' which leads to some form of libraries folder. Is it possible to restrict the link without removing their name?
I just came across a requirement, of implementing different password policies for different group users.
I can see in >>>>SYSTEM CONFIGURATION>>>>User>>AUTHENTICATION SETTINGS has only global option to implement the password complexity/no of days for active user. But i need this feature to be based for per user/group
I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510
We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
can it possible and create dynamic VLAN for specific group of users.
I'm looking into a way of routing users internet connection based on their username or group in a windows environment. Currently there's two ISP connections with their own proxy server. I want a user to be fully redirected to one of the ISPs based on who they are. I was hoping via IE proxy settings, this can be accomplished, but it looks like the primary ISP connection, is still getting most of the connections/routing.
I work as an administrator for a small business (~30pc and a Windows 2003 R2 server ).Recently, we started to have problem with our lan, the network start to kinda lock-up randomly. For example, browsing folders is fine then you switch to one and the explorer window just do nothing (with a loading cursor) and after 4 second everything refresh and work again, then in word or any other program (sometime not even related to network files/folder) you press the save button and it do the same, do nothing for 4-5 seconds then refresh and work again.I'm positive that no process on the server take up enough CPU time to do that, it's not a per-pc problem since everybody is affected when the problem start and when I reboot the server it work like a charm for another day then the problem may restart the next day.Nothing show up in the event viewer of both PCs and the server and we can't find a correlation between the problem and high CPU/LAN usage on the server (at worse CPU is used at 10% and LAN at 2%).Our RAID controller and our SAS HDs are working flawlessly, we're in the process to change our infrastructure anyway but since I can refer to people that may know their stuff way more than myself I though Id ask here.We first though that our switches may be in cause but then why rebooting the server would be correcting the problem ?
I've been trying to set up network filtering, and am having no luck. I'm trying to block certain folders on a NAS (DNS-320). My 8 yo insists that watching The Walking Dead is appropriate. So, I need to block specific subfolders so he can't access them. I would like to keep the NAS available, because there are some ebooks there that he copies to his tablet (Blackberry Playbook) to read. I DON'T want to password protect the DNS-320, because I stream the videos, mainly using XBMC / OpenElec with SAMBA shares. (If not, I can block the table from the whole NAS.) I prefer to block by MAC so there are no IP switches that happen. I also would like to block certain website (youtube) at specific times. Is that possible? Or I can turn off internet for the specified MACs.I wanted to use FREEDNS for the internet filtering, but my providers DSL modem won't keep the changes to DNS server, so that's out.
I'd like to use load balancing with the RV042, but I have some devices that don't react well to not always using the same outgoing port (like a credit card machine, for instance). Is it possible for me to create some "rule" with the RV042 that an internal IP address will use a certain WAN port? And if so, when that WAN port goes down will the RV042 fail-over to the other active WAN port? I was able to do this with a Xincom XC-OPG502 (which is being replaced with the RV042).
In the last couple weeks my router has begun to lock up / freeze. Not sure the appropriate terminology to use for this. The end result is wireless and wired connections stop functioning. I can't connect to the routers web interface via wired. I can't connect to any of the wireless SIDs. The router just doesn't respond. When I look at the router the lights are still blinking, but nobody seems to be home. I have to unplug the router and do a 30 count and plug it back in to get it to return to working order.At the time that this first occurred I mad not made any changes to the device in months, if not longer. Was running great. Not sure what happened.
Region : Germany Model : TL-MR3020 Hardware Version : V1 Firmware Version : 3.14.2 Build 120817 Rel.55520n ISP : T-Mobile
is it at all possible to lock a 2G/3G-Stick to 2G or 3G with the TL-MR3020 (e.g. if the desired network (2G or 3G) strength is low)? If not, this would be a useful feature for upcoming firmware versions
I just hooked up my wireless internet yesterday and I wanted to lock it so no one can use it like the neighbors and when I click on it just now, it asks for the network security key and cant find or even remember and dont know what this is?
I own a cyber cafe. I was told that switches are smart enough to distribute the same speed to all the clients. So I was not worried at first. But now if 2-3 customers starts watching youtube videos the rest starts complaining about the speed. I googled for the solution but got none. How to limit the speed,I want to lock the bandwidth of each computer.