06-09-2017 09:55 AM
Hi Team,
We have remote access VPN users terminating to ASA and thereby accessing our internal users.
Now I want to ask whether it is possible that My user A can only access server B but not C.
Can i configure any such restriction to my VPN users ? I know about applying VPN filters to group policy but that again I need to use whole ACL whereas I want user specific policy ?
Can anybody help ?
ASA version:- 9.4
Solved! Go to Solution.
06-09-2017 10:55 AM
Where is your authentication done - locally on the ASA or via a AAA server? If AAA, what kind (ACS, ISE, AD etc.) How many rule sets do you need?
Depending on the answers, there are a couple of options. For example:
https://supportforums.cisco.com/discussion/11162686/access-list-remote-access-vpn-users
https://supportforums.cisco.com/discussion/11992626/how-restrict-vpn-users-access-specific-server
06-09-2017 10:55 AM
Where is your authentication done - locally on the ASA or via a AAA server? If AAA, what kind (ACS, ISE, AD etc.) How many rule sets do you need?
Depending on the answers, there are a couple of options. For example:
https://supportforums.cisco.com/discussion/11162686/access-list-remote-access-vpn-users
https://supportforums.cisco.com/discussion/11992626/how-restrict-vpn-users-access-specific-server
06-10-2017 12:04 AM
Hi Marvin,
Thanks a lot. Those posts answered all my queries.
Just one more thing I want to ask ;- If we are using 'username attribute' while doing local authentication to ASA.
Can we use this 'username attribute' while doing my authentication to my RADIUS server ?
or this 'username attribute' functionality is only used with LOCAL authentication on ASA not with AAA ?
Regards,
thanks
06-10-2017 12:50 AM
You're welcome.
The local username on the ASA and any attributes defined are strictly local.
If you are using an external AAA server then it must retrieve attributes from its own identity store (or an upstream one - like when ACS retrieves AD group membership for a user and passes the appropriate authorization back to the ASA as as a RADIUS A-V (attribute-value) pair).
06-10-2017 06:41 AM
Thanks Sir!
It also means that once I configure my AAA server as authentication method instead of LOCAL ASA, then configuration of all usernames specific attributes will be of no use , right ?
06-10-2017 08:34 AM
You're welcome.
Not necessarily. The authentication and authorization servers are configured per tunnel-group. So you could have local users for some tunnel-groups and external users for others.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide