![]() Then the login credentials are sent to the authentication server group configured for this tunnel group. So far we’re just in the tunnel group section of the configuration. They enter their user ID and login credentials. As soon as they connect, they get a login screen in which they can pick either Employees or Vendors from a drop-down menu. They connect to the hostname (or IP address) of our ASA’s outside interface. Let’s review the logical flow in this configuration example.įirst, the user opens their An圜onnect client. For example, if I wanted to allow the employee group to access anything in the corporate network, but to restrict the vendors to only access a particular subnet, I could do this: !Īccess-list STAFF_VPN_ACL extended permit ip any anyĪccess-list VENDOR_VPN_ACL extended permit ip any 10.99.99.0 255.255.255.0įinally, we need to apply the configuration to the OUTSIDE interface of the firewall: ! This applies a special ACL (access control list) to these users and allows us to restrict what they can and can’t access. One other important little bit of configuration that I want to mention is the “vpn-filter” command. And it must be in a specific format: OU=STAFF_VPN_GROUP (with the semicolon). The server must be configured so that, upon successful authentication, it hands back these values in its IETF type 25 field, also called Class. The group policy names, STAFF_VPN_GROUP and VENDOR_VPN_GROUP, are values supplied by either the RADIUS or LDAP server. ![]() Where do these names come from? This is where things get a little bit confusing, so bear with me. This could happen because the same authentication system is used for many things. But it’s also possible I could have people who simply aren’t authorized to use the VPN at all, even though they have legitimate credentials. The main reason this could happen is if they’ve simply selected the wrong profile. That is, they had valid credentials for logging in but they aren’t authorized to use the VPN. The third policy is for anybody who somehow passed their authentication but failed their authorization. We need a group policy for employees and a second one for vendors. So I could send my employees to one RADIUS server (perhaps one that’s integrated with my LDAP, or equivalently, I could use LDAP natively on the firewall) and the vendors to a different one. ![]() Note that the “authentication-server-group” command could be different in these two tunnel groups. The configuration we’re creating will allow people in the first group to connect only to the first tunnel group and users in the second group only to the second. Users will see they can select either Employees or Vendors as options. Here I’m using the “group-alias” command, which creates a drop-down box on the An圜onnect client on the user’s PC. I’ve assigned the first pool to the first tunnel group and the second pool to the second. This creates two tunnel groups called ANYCONN_1 and ANYCONN_2. Tunnel-group ANYCONN_2 type general-attributes Tunnel-group ANYCONN_2 type remote-access Tunnel-group ANYCONN_1 type general-attributes Tunnel-group ANYCONN_1 type remote-access ![]() I’ll create two such groups for reasons I’ll explain later. ![]() I defined two pools here because I plan to have multiple tunnel groups later. It’s just used on the inside of the network after the remote user’s traffic has passed through the ASA. It has nothing to do with the user’s public IP address or any address they might have inside their home network. This is the address that will appear inside the corporate network for this user. When users connect their VPN, they’ll need an IP address for the VPN session. It’s accessed through the ASA interface that I called “INSIDE” in the interface configuration. This configuration fragment says that I have a RADIUS server inside my network with IP address 10.10.1.1, which I refer to by the tag “MYRADIUS” in the ASA configuration. The configuration is similar: !Īaa-server MYRADIUS (INSIDE) host 10.10.1.1 My preference is to use RADIUS for authentication and authorization, but there are other options such as LDAP. The first thing to configure is AAA authentication. The process itself is quite simple, though, so let’s go through the steps you’ll need to configure Cisco An圜onnect for your VPN. Unfortunately, the documentation from Cisco is extremely confusing, and I’ve seen a lot of organizations that do it wrong (by which I mean insecurely). Because the world continues to work from home this year, I’ve had to configure Cisco An圜onnect VPNs on ASA firewalls for clients a few times. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |