Cisco ASA Multi-tier VPN access with Active Directory Group Authentication

St John s Innovation Centre, Cowley Road, Cambridge, CB4 0WS Tel: 0845 450 4944 Fax: 0870 005 3464 Web: www.l3n.co.uk Email: info@l3n.co.uk Cisco ASA Multi-tier VPN access with Active Directory Group Authentication Maintaining a network is difficult enough, having centralised control is very important to keep track of who can access what. Active Directory is the most common form of user access control on a local network, so why not use it to assign the level of access for your VPN connection, here s how.. Brief VPN-standard-access VPN-full-Access VPN-Enhanced-Access Our VPN is authenticated via AD and group policies are to be assigned based on the group they are a member of on the AD server. A VPN filter is bound to the group policy allowing/denying access to specific resources. It is possible to send ACL s using RADIUS too but they would be near impossible to manage, it is far easier to amend them on the FW itself (CLI or ASDM). This example use LDAP, however RADIUS would offer greater security, this solution is covered in another document. Configuration Networks and Hosts Corporate Network- 10.1.2.0/23 Protected network 10.3.4.0/24 Email 10.1.2.11 (EG-Exchange) Intranet 10.1.2.56 (EG-Sharepoint) 10.1.2.232 (INTRANET-SERVER) Shared Folders 10.1.2.152 (FILE-SERVER1) 10.1.2.154 (FILE-SERVER2) server0 10.1.2.5/23 server1 10.1.2.98/23 server2 10.1.2.100/23 server3 10.1.2.97/23 server4 10.1.2.139/23

ASA Configuration Create objects object network Corp_LAN subnet 10.1.2.0 255.255.254.0 object network PROTECT_LAN subnet 10.3.4.0 255.255.255.0 object network VPN_Pool subnet 192.168.220.0 255.255.255.0 object network EG-DC1 host 10.1.2.3 object network EG-DC2 host 10.1.2.4 object network EG-Exchange host 10.1.2.11 object network EG-RDP1 host 10.1.2.5 object network server0 host 10.1.2.5 object network server1 host 10.1.2.98 object network server2 host 10.1.2.100 object network server3 host 10.1.2.97 object network server4 host 10.1.2.139 create service objects object-group service exchange_svc tcp port-object eq www port-object eq https port-object eq smtp port-object eq pop3 object-group service intranet_svc tcp port-object eq www port-object eq https object-group service fileserver_svc tcp port-object eq 139 port-object eq 445 object-group service fileserver_svc_udp udp port-object eq 137 port-object eq 138 object-group service RDP_svc tcp port-object eq 3389

Create ACL s access-list VPN-FullAccess remark Full VPN Access access-list VPN-FullAccess extended deny ip any object PROTECT_LAN access-list VPN-FullAccess extended permit ip object VPN_Pool object Corp_LAN access-list VPN-Enhanced remark Enhanced VPN Access access-list VPN-Enhanced remark Deny Protected LAN access-list VPN-Enhanced extended deny ip any object PROTECT_LAN access-list VPN-Enhanced remark Allow Core services access-list VPN-Enhanced extended permit tcp object VPN_Pool object EG-AD-MAN-1 object-group access-list VPN-Enhanced extended permit tcp object VPN_Pool object EG-AD-MAN-2 object-group access-list VPN-Enhanced extended permit udp object VPN_Pool object EG-AD-MAN-1 object-group _udp access-list VPN-Enhanced extended permit udp object VPN_Pool object EG-AD-MAN-2 object-group _udp access-list VPN-Enhanced remark Allow access to Exchange Servers access-list VPN-Enhanced extended permit tcp object VPN_Pool object EG-Exchange object-group exchange_svc access-list VPN-Enhanced remark Allow RDP to these servers access-list VPN-Enhanced extended permit tcp object VPN_Pool object server0 object-group RDP_svc access-list VPN-Enhanced extended permit tcp object VPN_Pool object server1 object-group RDP_svc access-list VPN-Enhanced extended permit tcp object VPN_Pool object server2 object-group RDP_svc access-list VPN-Enhanced extended permit tcp object VPN_Pool object Server3 object-group RDP_svc access-list VPN-Enhanced extended permit tcp object VPN_Pool object server4 object-group RDP_svc access-list VPN-Standard remark Standard VPN Access access-list VPN-Standard remark Deny Protected LAN access-list VPN-Standard extended deny ip any object PROTECT_LAN access-list VPN-Standard remark Allow Core services access-list VPN-Standard extended permit tcp object VPN_Pool object EG-AD-MAN-1 object-group access-list VPN-Standard extended permit tcp object VPN_Pool object EG-AD-MAN-2 object-group access-list VPN-Standard extended permit udp object VPN_Pool object EG-AD-MAN-1 object-group _udp access-list VPN-Standard extended permit udp object VPN_Pool object EG-AD-MAN-2 object-group _udp access-list VPN-Standard remark Allow access to Exchange Servers access-list VPN-Standard extended permit tcp object VPN_Pool object EG-Exchange object-group exchange_svc Configure LDAP This was covered in detail in a previous guide, please refer to this for full info, but here s a snippet of the config required aaa-server l3n-ldap protocol ldap aaa-server l3n-ldap (Production) host x.x.x.x ldap-base-dn CN=Users,DC=domain,DC=local

ldap-group-base-dn CN=Users,DC=l3n,DC=local ldap-scope subtree ldap-naming-attribute samaccountname ldap-login-password ***** ldap-login-dn CN=bindadmin,CN=Users,DC=domain,DC=local server-type Microsoft AD server configuration Create the groups for our 3 tiers of access (repeat for T2, T3) and create some test accounts Attribute Maps This is how we will bind the AD group to the ASA s Group policy. ldap attribute-map access-mgmt map-name memberof Radius-IETF-Class map-value memberof "CN=VPN-Full-Access,OU=UK,DC=Domain,DC=com" VPN-FULL-GrPolicy map-value memberof "CN= VPN-Enhanced-Access,OU=UK,DC=Domain,DC=com" VPN-EN-GrPolicy map-value memberof "CN=VPN-Standard-Access,OU=UK,DC=Domain,DC=com" VPN-STD-GrPolicy Group Policies group-policy VPN-FULL-GrPolicy internal group-policy VPN-FULL-GrPolicy attributes vpn-filter value VPN-FullAccess default-domain value test.domain.com group-policy VPN-EN-GrPolicy internal group-policy VPN-EN-GrPolicy attributes vpn-filter value VPN-Enhanced default-domain value test.domain.com group-policy VPN-STD-GrPolicy internal group-policy VPN-STD-GrPolicy attributes vpn-filter value VPN-Standard

default-domain value test.domain.com Implicit deny group-policy NOACCESS internal group-policy NOACCESS attributes vpn-tunnel-protocol IPSec Setup Tunnel Group tunnel-group EG-VPN-Access general-attributes address-pool EG-Pool1 authentication-server-group EG-LDAP authorization-server-group EG-LDAP default-group-policy NOACCESS tunnel-group EG-VPN-Access -attributes group-alias EG-VPN-Access enable Complete! Debugging: Debug LDAP 255 is the key to monitoring the attribute mapping, look out for our troubleshooting guides on AD vs CISCO! Successful mapping: [621] memberof: value = CN=VPN-Standard-Access,DC=domain,DC=com [621] mapped to IETF-Radius-Class: value = VPN-STD-GrPolicy [621] mapped to LDAP-Class: value = VPN-STD-GrPolicy [621] name: value = VPN-Standard [621] samaccountname: value = VPN-Standard [621] userprincipalname: value = VPN-Standard@domain.com Sh access-list should reveal hitcounts during testing!