controlling network access for ssl vpn users
TRANSCRIPT
-
8/13/2019 Controlling Network Access for SSL VPN Users
1/6
Morgan Stepp CCIE #12603 | [email protected] Page 1of 6
Controlling Network Access for SSL VPN Users
Overview
The SSL VPN Configuration will use (2) Cisco ASA 8X Appliances to terminate SSL Sessions and provide VPN Load
Balancing. SSL Group Policies and Access Control Lists will be maintained on the ASA Appliances.
The Cisco Secure ACS 5.2 Server will provide Radius authentication for SSL VPN Users and assign an SSL Group Policy
based on the ACS Userss Identity Group. All User Accounts will be maintained on ACS.
ASA2172.20.140.13
ASA1
172.20.140.1212.34.56.79
Public Private
VPN LB IP
12.34.56.81
3845Corp LANInternet
SSL VPN User
https://12.34.56.78
172.20.140.251
ACS
12.34.56.80
https://web.acme.com
ASA Access-List Configuration
The Access Control List will determine which subnets or hosts the SSL Group Policy is permitted to access. Only the
traffic permitted below will be VPN encapsulated.
access-list SSL-ACL3 remark ACME - WEB TRAFFIC
access-list SSL-ACL3 standard permit host 12.34.56.78
ASA SSL Group Policy Configuration
SSL Group Policies will be configured for Split Tunneling. This will encapsulate corporate traffic and leave non-corporate
traffic to traverse the Internet normally.
group-policy SSL-POLICY3 internal
group-policy SSL-POLICY3 attributesvpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL-ACL3
webvpn
homepage value https://web.acme.com
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
-
8/13/2019 Controlling Network Access for SSL VPN Users
2/6
Morgan Stepp CCIE #12603 | [email protected] Page 2of 6
ACS Identity Group
In ACS, Users are assigned to an Identity Group. For our SSL VPN Users, we will create a Group that combines users with
similar network access requirements. The Group names are internal only and will not be seen by SSL Users. Create the
new Identity Group and select Submit.
Select User and Identity Stores > Identity Groups
-
8/13/2019 Controlling Network Access for SSL VPN Users
3/6
Morgan Stepp CCIE #12603 | [email protected] Page 3of 6
ACS Users
Create your new User Accounts and assign these to the desired Identity Group. The Enable Password is not needed
unless this user will perform Cisco Device Administration.
Select User and Identity Stores > Users
-
8/13/2019 Controlling Network Access for SSL VPN Users
4/6
Morgan Stepp CCIE #12603 | [email protected] Page 4of 6
ACS Authorization Profiles
The Network Access level for SSL VPN Users is defined using ACS Authorization Profiles. Each Profile can contain multiple
attributes to customize access. In the Ivans SSL VPN Configuration, we will create an Authorization Profile for each SSL
User Group in ACS and match access for these to the corresponding SSL Group Policy on the ASA. Select the Create
button below to establish a new Authorization Profile.
Select Policy Elements > Authorization Profiles
Name the Authorization Profile and select Submit.
-
8/13/2019 Controlling Network Access for SSL VPN Users
5/6
Morgan Stepp CCIE #12603 | [email protected] Page 5of 6
Select the new Policy and select the Radius Attributes Tab. Click the select Button next to the Radius Attribute Field.
Within each Profile we will use the Radius Attribute Class (ID 25) to match the SSL Group Policy previously configured
on the ASA. Select the Radio button for the Class Attribute and click OK.
Set the Attribute value to OU=VPN Group Policy Name. In this example, we use OU=SSL-POLICY3. Click Add and
Submit.
-
8/13/2019 Controlling Network Access for SSL VPN Users
6/6
Morgan Stepp CCIE #12603 | [email protected] Page 6of 6
ACS Access Policies
The Network Access Policy applies the Authorization Profiles to the SSL VPN User Group (Identity Group). When SSL
Users login, they will be granted access based on the Access Policies in thier assigned Identity Group.
Select Access Policies > Authorization