No announcement yet.

ASA5510, Multiple Remote Access VPN's, IAS Radius

  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA5510, Multiple Remote Access VPN's, IAS Radius

    Hi everyone,

    So here is my problem. I have a Cisco ASA5510, and I currently have one VPN-Tunnel Group setup for remote access(using the cisco client). We'll call the first Group VPN1. I have it authenticating to a windows radius server. The radius server(IAS) has a policy that basically says "allow anyone in windows "vpngroup1" access". The VLAN that VPN1 has access to contains extremely sensitive data, and is highly restricted in terms of who can access it. I want to create a general use vpn group for the rest of the users. Lets say I create another VPN group on the cisco (VPN2). I want it to use the windows radius server for authentication. The problem is if I create a policy in IAS that says "allow anyone in "vpngroup2" access", then it gives vpngroup2 access to vpn1 as well as vpn2.

    How can I configure IAS to give access to vpn1 ONLY to "vpngroup1" and vpn2 ONLY to "vpngroup2"

    Should I ditch radius and use LDAP or kerberos? If so, then where would I configure the security policy?

    A couple of notes:
    I already have the first vpn setup successfully, so I have the radius setup correctly in AAA. I have the radius server setup as an "authentication server group" in the vpn group settings.
    I *don't* want to use a user list on the cisco, I want it integrated with AD.
    I want to use only 1 radius server if possible.
    I know that an unauthorized user would have to know the VPN group password for VPN1, so it would still be theoretically secure, but I would like to have the extra layer of security.

    This is a toughie, and I'm stuck. I appreciate any help/suggestions anyone can offer.


  • #2
    Re: ASA5510, Multiple Remote Access VPN's, IAS Radius


    two things strikes my mind as soon as i read the issue.

    may be you can try this options out

    Make access rules for VPN-2 users and permit , deny traffic you want in ASA itself.

    the other option

    You can deny from the servers ( e-g a file server) to deny access to it for VPN-2 users in sharing and secuirty options in NTFS permissions.

    Thanks and With Best Regards



    • #3
      Re: ASA5510, Multiple Remote Access VPN's, IAS Radius

      Along the lines of the post below. Make a Split Tunnel ACL and apply it to the Group-Policy attributes of that particular VPN group. It's pretty straightforward, if you need help let me know and I can send you a config example. I have done this before.



      • #4
        Re: ASA5510, Multiple Remote Access VPN's, IAS Radius

        I have a split-tunnel ACL, and vpn2 can only access the vlan that I want it to. The problem is that I'd like to have seperate user groups in AD for for each vpn.

        The problem does not lie in the vpngroup setup. It lies in the authentication setup.

        Let's say I create a windows user group called VPNGROUP2. I add the users that I want to access vpn2. How can I, in IAS, tell it allow ONLY vpngroup1 users access to VPN1, and vpngroup2 users only access to vpn2. Right now, the cisco sees the radius server, and uses it. Both vpn tunnel groups are setup to use the windows radius server for authentication.

        Maybe this is more of a windows question than a cisco one. The reason I posted it in this particular forum was because I thought there might be a way besides using radius to do this(i.e. ldap). I've looked into using ldap, and it seems incredibly complicated. Like I have to create a LDAP attribute map, etc...
        It seems that the LDAP idea might be me barking up the wrong tree. I must try to expand my understanding of how LDAP would work conceptually with the cisco. Either that or there is some trick in IAS that I just can't figure out.

        So.. is there anyone here that has setup an ASA with multiple VPN tunnel groups, that is using radius(IAS) for authentication, that in AD can just add a user to different groups to give access to different vpn tunnel groups? If so, then i'd love some advice on the config