• No results found

Cisco ASA Multi-tier VPN access with Active Directory Group Authentication

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cisco ASA Multi-tier VPN access with Active Directory Group Authentication"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS

Tel: 0845 450 4944 Fax: 0870 005 3464

Web: www.L3n.co.uk Email: [email protected]

Cisco ASA Multi-tier VPN access with Active

Directory Group Authentication

Maintaining a network is difficult enough, having centralised control is very important to keep track

of who can access what. Active Directory is the most common form of user access control on a local

network, so why not use it to assign the level of access for your VPN connection, here’s how..

Brief

VPN-standard-access

VPN-full-Access

VPN-Enhanced-Access

Our VPN is authenticated via AD and group policies are to be assigned based on the group they are a member of on

the AD server. A VPN filter is bound to the group policy– allowing/denying access to specific resources. It is possible

to send ACL’s using RADIUS too but they would be near impossible to manage, it is far easier to amend them on the

FW itself (CLI or ASDM).

This example use LDAP, however RADIUS would offer greater security, this solution is covered in another document.

Configuration

Networks and Hosts

Corporate Network- 10.1.2.0/23 Protected network – 10.3.4.0/24

Email 10.1.2.11 (EG-Exchange) Intranet 10.1.2.56 (EG-Sharepoint)

10.1.2.232 (INTRANET-SERVER) Shared Folders 10.1.2.152 (FILE-SERVER1)

10.1.2.154 (FILE-SERVER2)

server0 10.1.2.5/23

server1 10.1.2.98/23

server2 10.1.2.100/23

server3 10.1.2.97/23

(2)

ASA Configuration

Create objects

object network Corp_LAN

subnet 10.1.2.0 255.255.254.0 object network PROTECT_LAN subnet 10.3.4.0 255.255.255.0 object network VPN_Pool

subnet 192.168.220.0 255.255.255.0 object network EG-DC1

host 10.1.2.3

object network EG-DC2 host 10.1.2.4

object network EG-Exchange host 10.1.2.11

object network EG-RDP1 host 10.1.2.5

object network server0 host 10.1.2.5

object network server1 host 10.1.2.98

object network server2 host 10.1.2.100

object network server3 host 10.1.2.97

object network server4 host 10.1.2.139

create service objects

object-group service exchange_svc tcp port-object eq www

port-object eq https port-object eq smtp port-object eq pop3

object-group service intranet_svc tcp port-object eq www

port-object eq https

object-group service fileserver_svc tcp port-object eq 139

port-object eq 445

object-group service fileserver_svc_udp udp port-object eq 137

port-object eq 138

object-group service RDP_svc tcp port-object eq 3389

(3)

Create ACL’s

access-list VPN-FullAccess remark Full VPN Access

access-list VPN-FullAccess extended deny ip any object PROTECT_LAN

access-list VPN-FullAccess extended permit ip object VPN_Pool object Corp_LAN access-list VPN-Enhanced remark Enhanced VPN Access

access-list VPN-Enhanced remark Deny Protected LAN

access-list VPN-Enhanced extended deny ip any object PROTECT_LAN access-list VPN-Enhanced remark Allow Core services

access-list VPN-Enhanced extended permit tcp object VPN_Pool object EG-AD-MAN-1 object-group core_svc

access-list VPN-Enhanced extended permit tcp object VPN_Pool object EG-AD-MAN-2 object-group core_svc

access-list VPN-Enhanced extended permit udp object VPN_Pool object EG-AD-MAN-1 object-group core_svc_udp

access-list VPN-Enhanced extended permit udp object VPN_Pool object EG-AD-MAN-2 object-group core_svc_udp

access-list VPN-Enhanced remark Allow access to Exchange Servers

access-list VPN-Enhanced extended permit tcp object VPN_Pool object EG-Exchange object-group exchange_svc

access-list VPN-Enhanced remark Allow RDP to these servers

access-list VPN-Enhanced extended permit tcp object VPN_Pool object server0 object-group RDP_svc access-list VPN-Enhanced extended permit tcp object VPN_Pool object server1 object-group RDP_svc access-list VPN-Enhanced extended permit tcp object VPN_Pool object server2 object-group RDP_svc access-list VPN-Enhanced extended permit tcp object VPN_Pool object Server3 object-group RDP_svc access-list VPN-Enhanced extended permit tcp object VPN_Pool object server4 object-group RDP_svc

access-list VPN-Standard remark Standard VPN Access access-list VPN-Standard remark Deny Protected LAN

access-list VPN-Standard extended deny ip any object PROTECT_LAN access-list VPN-Standard remark Allow Core services

access-list VPN-Standard extended permit tcp object VPN_Pool object EG-AD-MAN-1 object-group core_svc

access-list VPN-Standard extended permit tcp object VPN_Pool object EG-AD-MAN-2 object-group core_svc

access-list VPN-Standard extended permit udp object VPN_Pool object EG-AD-MAN-1 object-group core_svc_udp

access-list VPN-Standard extended permit udp object VPN_Pool object EG-AD-MAN-2 object-group core_svc_udp

access-list VPN-Standard remark Allow access to Exchange Servers

access-list VPN-Standard extended permit tcp object VPN_Pool object EG-Exchange object-group exchange_svc

Configure LDAP

This was covered in detail in a previous guide, please refer to this for full info, but here’s a snippet of the config

required

aaa-server l3n-ldap protocol ldap

aaa-server l3n-ldap (Production) host x.x.x.x ldap-base-dn CN=Users,DC=domain,DC=local

(4)

ldap-group-base-dn CN=Users,DC=l3n,DC=local ldap-scope subtree

ldap-naming-attribute sAMAccountName ldap-login-password *****

ldap-login-dn CN=bindadmin,CN=Users,DC=domain,DC=local server-type Microsoft

AD server configuration

Create the groups for our 3 tiers of access (repeat for T2, T3) and create some test accounts

Attribute Maps

This is how we will bind the AD group to the ASA’s Group policy.

ldap attribute-map access-MGMT

map-name memberOf Radius-IETF-Class

map-value memberOf "CN=VPN-Full-Access,OU=UK,DC=Domain,DC=com" VPN-FULL-GrPolicy map-value memberOf "CN= VPN-Enhanced-Access,OU=UK,DC=Domain,DC=com" VPN-EN-GrPolicy map-value memberOf "CN=VPN-Standard-Access,OU=UK,DC=Domain,DC=com" VPN-STD-GrPolicy

Group Policies

group-policy VPN-FULL-GrPolicy internal group-policy VPN-FULL-GrPolicy attributes vpn-filter value VPN-FullAccess

dns-server value 10.1.2.3 10.1.2.4 vpn-tunnel-protocol ssl-client default-domain value test.domain.com webvpn

always-on-vpn profile-setting

group-policy VPN-EN-GrPolicy internal group-policy VPN-EN-GrPolicy attributes vpn-filter value VPN-Enhanced

dns-server value 10.1.2.3 10.1.2.4 vpn-tunnel-protocol ssl-client default-domain value test.domain.com webvpn

always-on-vpn profile-setting exit

group-policy VPN-STD-GrPolicy internal group-policy VPN-STD-GrPolicy attributes vpn-filter value VPN-Standard

dns-server value 10.1.2.3 10.1.2.4 vpn-tunnel-protocol ssl-client

(5)

default-domain value test.domain.com webvpn

always-on-vpn profile-setting exit

Implicit deny

group-policy NOACCESS internal group-policy NOACCESS attributes vpn-tunnel-protocol IPSec webvpn exit

Setup Tunnel Group

tunnel-group EG-VPN-Access general-attributes address-pool EG-Pool1

authentication-server-group EG-LDAP authorization-server-group EG-LDAP default-group-policy NOACCESS

tunnel-group EG-VPN-Access webvpn-attributes group-alias EG-VPN-Access enable

Complete !

Debugging:

Debug LDAP 255

is the key to monitoring the attribute mapping, look out for our

troubleshooting guides on AD vs CISCO !

Successful mapping:

[621] memberOf: value = CN=VPN-Standard-Access,DC=domain,DC=com [621] mapped to IETF-Radius-Class: value = VPN-STD-GrPolicy [621] mapped to LDAP-Class: value = VPN-STD-GrPolicy

[621] name: value = VPN-Standard

[621] sAMAccountName: value = VPN-Standard

[621] userPrincipalName: value = [email protected]

Sh access-list should reveal hitcounts during testing !

References

Download now ( PDF - 5 Page - 225.91 KB )

Related documents

Goal-Oriented Requirements Analysis and Reasoning in the Tropos Methodology

The result of the forward propagation of these values is that we have full evidence for the satisfaction of the top goal increase profits and partial evidence for the denial

Re-envisioning Kinship and the State in Pakistan

opportunities for citizens to articulate their political opinions and lobby for their rights, I discuss how aspects of the public sphere are obscured by its link to the state.

6.5. Web Interface. User Guide

In the List of Objects area, clicking a leaf object, such as a user or group, displays a page intended to view or modify object properties; clicking a container object, such as

Net-WMS FP Net-WMS SPECIFIC TARGETED RESEARCH OR INNOVATION PROJECT. Networked Businesses. D.8.1 Networked architecture J2EE compliant

Service Oriented Architecture, Java 2 Enterprise Edition, Object Relational Mapper, Data Access Object, Data Transfer Object, Java Naming and Directory Interface, Structured

Bank Loans and the Capital Shock

In this section, we investigate what drives the large sectoral heterogeneity in bank loan responses, in particular, why the adverse macro shocks, that is, a

itt tech gs1140 homework answers

SURGICAL TECH EXAM REVIEW QUESTIONS AND ANSWERS PDF Available. ANSWERS TO SEARS SERVICE TECH ELECTRICAL TEST

Delaware E-ZPass Customer Guide

• “Call Cust SVC Center” (in Delaware) or “Low Bal” and/or a yellow light indicate your account has a sufficient toll balance, your transponder is properly installed, and the

Client URL. List of object servers that contain object

list of all servers holding a copy of the object. instead of being redirected to one of them