RE: VPN Restriction in ASA OS 8.22

Rodrigo,

You still haven't sent your configurations so we can see why group-lock is
not working for you. If you apply it in group-policy there is no reason for
it to not work if your configuration is correct.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Rodrigo Magalhaes
Sent: Monday, July 05, 2010 6:27 AM
To: Pemasiri Devanarayana
Cc: Kanishka Acharya (kaachary); Edouard Zorrilla; Farrukh Haroon;
security_at_groupstudy.com; Cisco certification
Subject: Re: VPN Restriction in ASA OS 8.22

Hi Kanishka,

I4m trying to do this group-lock, but in my scenario I have a little
difference. The ASA is integrated to RSA Auth Manager and the users/groups
are created on RSA. So, is there any way to make this group-lock in this
scenario? I think that has something like we do with AD, so ASA has to send
a radius attribute to RSA, Am I right? How can I do this?

Thanks,

Rodrigo Magalhaes

On Mon, Jul 5, 2010 at 3:39 AM, Pemasiri Devanarayana
<pemasiri_at_gmail.com>wrote:

> Hi Kanishka,
>
> Would you please send me any documentation about Tunnel-Group-Lock
> configuration related for ASA/ACS?.
>
> I also have the similar requirementl; I have two tunnel-group one for
> corperate users for connecting vpn using AD, and other group for netadmin
> to
> connect using ACS local DB. However now AD user can connect to both the
> vpns. I want to restrick Corperate users not to connect Netadmin vpn
group.
>
> thanks
>
>
>
> On Sun, Mar 21, 2010 at 9:41 AM, Kanishka Acharya (kaachary) <
> kaachary_at_cisco.com> wrote:
>
> > Binding a group-policy means : Irrespective of which tunnel-group the
> user
> > uses to connect, he will use the group-policy thats pushed via radius.
> This
> > doesnt restrict user to use only one tunnel-group. For that purpose, you
> > need
> > to use VSA 85 (Tunnel-Group-Lock) as I mentioned earlier.
> >
> > This can also be done using LDAP attribute-map based an AD Group
> > membership.
> > The config will look something like :
> >
> > ciscoasa(config)#ldap attribute-map CISCOMAP
> > ciscoasa(config-ldap-attribute-map)#map-name memberOf Tunnel-Group-Lock
> > ciscoasa(config-ldap-attribute-map)#map-value memberOf
> > CN=Employees,CN=Users,
> > DC=ftwsecurity,DC=cisco,DC=com <TunnelGroupName>
> >
> >
> >
> >
> > ________________________________
> >
> > From: nobody_at_groupstudy.com on behalf of Edouard Zorrilla
> > Sent: Sat 3/20/2010 10:32 AM
> > To: Kanishka Acharya (kaachary); Farrukh Haroon
> > Cc: security_at_groupstudy.com; Cisco certification
> > Subject: Re: VPN Restriction in ASA OS 8.22
> >
> >
> >
> > Re: VPN Restriction in ASA OS 8.22Hello Kanishka,
> >
> > Which one the difference between group-lock and bind a group-policy to
> the
> > user ?
> >
> > Thanks,
> >
> > Regards
> >
> > ----- Original Message -----
> > From: Kanishka Acharya (kaachary)
> > To: Farrukh Haroon ; Edouard Zorrilla
> > Cc: security_at_groupstudy.com ; Cisco certification
> > Sent: Friday, March 19, 2010 4:59 PM
> > Subject: RE: VPN Restriction in ASA OS 8.22
> >
> >
> > Actually on ASA, Radius Class [25] is no longer used for group-lock,
but
> > to
> > bind a group-policy to the user. You need to use cvpn 3000/PIX/ASA VSA
85
> > (Tunnel-Group-Lock) for this purpose. Alternatively, you can use the
> > Group-lock attribute in group-policy for this.
> >
> >
> >
> >
>
----------------------------------------------------------------------------
-
> > -
> > From: nobody_at_groupstudy.com on behalf of Farrukh Haroon
> > Sent: Sat 3/20/2010 2:21 AM
> > To: Edouard Zorrilla
> > Cc: security_at_groupstudy.com; Cisco certification
> > Subject: Re: VPN Restriction in ASA OS 8.22
> >
> >
> > Do you want to restrict a group to a single user only?
> >
> > Or you want to make sure that a particular user 'x' can only login to a
> > particular group 'gx'?
> >
> > Have u seen the group-lock command and the Radius Attribute 25 (Class)?
> >
> > Regards
> >
> > Farrukh
> >
> > On Fri, Mar 19, 2010 at 11:45 PM, Edouard Zorrilla
> > <ezorrilla_at_tsf.com.pe>wrote:
> >
> > > Hi Team,
> > >
> > > Is there a way I can make something inside the ASA so that one user
> just
> > > can
> > > log in to a single group :
> > >
> > > group-policy CISCO-ENG internal
> > > group-policy CISCO-ENG attributes
> > > vpn-simultaneous-logins 1
> > > vpn-idle-timeout 30
> > > vpn-session-timeout 120
> > > ipsec-udp enable
> > > split-tunnel-policy tunnelall
> > > default-domain value dfg.com
> > > secure-unit-authentication enable
> > > user-authentication enable
> > > user-authentication-idle-timeout 10
> > > address-pools value POOCISCO-ENG
> > > !
> > > tunnel-group CISCO-ENG type remote-access
> > > tunnel-group CISCO-ENG general-attributes
> > > authentication-server-group RADIUS
> > > authentication-server-group (outside) RADIUS
> > > accounting-server-group RADIUS
> > > default-group-policy RAS_test
> > > tunnel-group CISCO-ENG ipsec-attributes
> > > pre-shared-key *****
> > > !
> > >
> > > Right now any user can log in to any group, this is not wat I want.
> > >
> > > Thanks
> > >
> > > Regards
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net <
> http://www.ccie.net/>
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
>

--
Rodrigo Magalhaes
Blogs and organic groups at http://www.ccie.net