Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
0
Helpful
5
Replies

Restriction for remote vpn users in ASA

Go to solution
kunalchopra1992
Level 1
Level 1

‎06-09-2017 09:55 AM

Hi Team,

We have remote access VPN users terminating to ASA and thereby accessing our internal users.

Now I want to ask whether it is possible that My user A can only access server B but not C. 

Can i configure any such restriction to my VPN users ? I know about applying VPN filters to group policy but that again I need to use whole ACL whereas I want user specific policy ?

Can anybody help ? 

ASA version:- 9.4

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-09-2017 10:55 AM

Where is your authentication done - locally on the ASA or via a AAA server? If AAA, what kind (ACS, ISE, AD etc.) How many rule sets do you need?

Depending on the answers, there are a couple of options. For example:

https://supportforums.cisco.com/discussion/11162686/access-list-remote-access-vpn-users

https://supportforums.cisco.com/discussion/11992626/how-restrict-vpn-users-access-specific-server

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-09-2017 10:55 AM

Where is your authentication done - locally on the ASA or via a AAA server? If AAA, what kind (ACS, ISE, AD etc.) How many rule sets do you need?

Depending on the answers, there are a couple of options. For example:

https://supportforums.cisco.com/discussion/11162686/access-list-remote-access-vpn-users

https://supportforums.cisco.com/discussion/11992626/how-restrict-vpn-users-access-specific-server

0 Helpful

Go to solution
kunalchopra1992
Level 1
Level 1
In response to Marvin Rhoads

‎06-10-2017 12:04 AM

Hi Marvin,

Thanks a lot. Those posts  answered all my queries.

Just one more thing I want to ask ;- If we are using 'username attribute' while doing local authentication to ASA.

Can we use this 'username attribute' while doing my authentication to my RADIUS server ?

or this 'username attribute' functionality is only used with LOCAL authentication on ASA not with AAA ?

Regards,

thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kunalchopra1992

‎06-10-2017 12:50 AM

You're welcome.

The local username on the ASA and any attributes defined are strictly local.

If you are using an external AAA server then it must retrieve attributes from its own identity store (or an upstream one - like when ACS retrieves AD group membership for a user and passes the appropriate authorization back to the ASA as as a RADIUS A-V (attribute-value) pair).

0 Helpful

Go to solution
kunalchopra1992
Level 1
Level 1
In response to Marvin Rhoads

‎06-10-2017 06:41 AM

Thanks Sir!

It also means that once I configure my AAA server as authentication method instead of LOCAL ASA, then  configuration of all usernames specific attributes will be of no use , right ?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kunalchopra1992

‎06-10-2017 08:34 AM

You're welcome.

Not necessarily. The authentication and authorization servers are configured per tunnel-group. So you could have local users for some tunnel-groups and external users for others.

0 Helpful
Customers Also Viewed These Support Documents