Re: VPN Restriction in ASA OS 8.22 from Edouard Zorrilla on 2010-03-20 (Ccielab archives 03/2010)

From: Edouard Zorrilla <ezorrilla_at_tsf.com.pe>
Date: Fri, 19 Mar 2010 22:02:23 -0700

Re: VPN Restriction in ASA OS 8.22Hello Kanishka,

Which one the difference between group-lock and bind a group-policy to the
user ?

Thanks,

Regards

  ----- Original Message -----
  From: Kanishka Acharya (kaachary)
  To: Farrukh Haroon ; Edouard Zorrilla
  Cc: security_at_groupstudy.com ; Cisco certification
  Sent: Friday, March 19, 2010 4:59 PM
  Subject: RE: VPN Restriction in ASA OS 8.22

Actually on ASA, Radius Class [25] is no longer used for group-lock, but to
bind a group-policy to the user. You need to use cvpn 3000/PIX/ASA VSA 85
(Tunnel-Group-Lock) for this purpose. Alternatively, you can use the
Group-lock attribute in group-policy for this.

-----------------------------------------------------------------------------
-
  From: nobody_at_groupstudy.com on behalf of Farrukh Haroon
  Sent: Sat 3/20/2010 2:21 AM
  To: Edouard Zorrilla
  Cc: security_at_groupstudy.com; Cisco certification
  Subject: Re: VPN Restriction in ASA OS 8.22

Do you want to restrict a group to a single user only?

Or you want to make sure that a particular user 'x' can only login to a
particular group 'gx'?

Have u seen the group-lock command and the Radius Attribute 25 (Class)?

Regards

Farrukh

On Fri, Mar 19, 2010 at 11:45 PM, Edouard Zorrilla
<ezorrilla_at_tsf.com.pe>wrote:

> Hi Team,
>
> Is there a way I can make something inside the ASA so that one user just
> can
> log in to a single group :
>
> group-policy CISCO-ENG internal
> group-policy CISCO-ENG attributes
> vpn-simultaneous-logins 1
> vpn-idle-timeout 30
> vpn-session-timeout 120
> ipsec-udp enable
> split-tunnel-policy tunnelall
> default-domain value dfg.com
> secure-unit-authentication enable
> user-authentication enable
> user-authentication-idle-timeout 10
> address-pools value POOCISCO-ENG
> !
> tunnel-group CISCO-ENG type remote-access
> tunnel-group CISCO-ENG general-attributes
> authentication-server-group RADIUS
> authentication-server-group (outside) RADIUS
> accounting-server-group RADIUS
> default-group-policy RAS_test
> tunnel-group CISCO-ENG ipsec-attributes
> pre-shared-key *****
> !
>
> Right now any user can log in to any group, this is not wat I want.
>
> Thanks
>
> Regards
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Mar 19 2010 - 22:02:23 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:35 ART