Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Ability of IAS with an ASA

Status
Not open for further replies.
pcnetgeek

pcnetgeek

IS-IT--Management
Sep 15, 2004
82
US
Hello..

This scenario involves a Cisco ASA and a windows 2003 server running IAS (RADIUS).

Our VPN users use Cisco VPN clients to connect to our network The ASA forwards the credentials to IAS and checks credentials with AD before allowing the connection and access.

Is there a way to control network access using IAS? Example would be that they can access 10.20.20.16/28 but not 10.20.20.0/28. I know this can be done by ACLs, but can IAS support and pass back the info to the ASA telling it which ACL to apply?

I have seen that ACS can do this, but research on using the ASA and IAS isnt clear.

I know some might think this belongs in the Cisco section, but it does not. I need some MS guys to help me confirm the abilities of IAS.

any recommendations are appreciated..


---
Lenny

Get in where you fit in and squeeze in where you need to fit in..
 
Sort by date Sort by votes
I think you are better off doing that kind of restriction on the ASA if that is the VPN end point.
 
Upvote 0 Downvote
There is some information here but it talks about ACS being configured with downloadable ACL's:


This does mention that they are downloaded from the Radius Server using Cisco-AV-Pairs so it is potentially possible with a Radius server other than Cisco ACS. If you can't find any other documentation it might be worth downloading the 90-day evaluation version of ACS 4.1, setting this up and capturing the Radius conversations with a sniffer.

HTH

Andy
 
Upvote 0 Downvote
@FloDiggs

Thanks.. I already tried proposing this. The overhead is way too much.

@ADB100
I agree that ACS is the way to go, but we want to keep it MS and Active Directory. This would make administration very simple. Eventhough like above, these ACLs need to be created on each device.

Thanks for the help.


---
Lenny

Get in where you fit in and squeeze in where you need to fit in..
 
Upvote 0 Downvote
Did you ever find a solution to this? I am trying to do the same thing.

I've been working with Cisco TAC but they aren't that big of a help regarding IAS.

I have an ASA 5510 that I use for SSL VPN. My goal is to have the user credentials for the SSL client be passed onto the IAS server and verified in AD. From there the IAS would pass back the info to the ASA where the ASA would apply Group Policy settings (IP address, Split tunneling, Filters, etc) to that user depending on who the was.

Talking with the Cisco tech, the IAS server has to have some sort of group mapping to the ASA so the user can get the ASA policies.

Stumped over here
 
Upvote 0 Downvote
@Davey ..

What you are trying to achieve is easy and Cisco TAC must meet the commitment to get you up and running.

My scenario is a little different as I am trying to have the IAS restrict network access rather then the ASA restrict and permit access.

I have been able to get this to work, but I have not found a way to configure IAS for multiple Cisco IPSec groups. So I do something like..

!on ASA
access-list ABI_splitTunnelAcl standard permit 10.10.7.0 255.255.255.0

Then on the IAS server I can control what hosts they can access on that 10.10.7.0 network. Maybe just a /27 or all hosts except 1 host. I can control all network access VIA IAS. Its great; but multiple IPSec groups is where I'm stumpped. IAS wont respect which group connects, it accepts the connection for any group even if I use the "Windows Group" attribute.


HTH the most you need to look at is the xs4all link .. the others are for additional info ..


I use the former of the methods in this document to achieve what I stated above ..

Try these links or PM me if you need help..


---
Lenny

Get in where you fit in and squeeze in where you need to fit in..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
448
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
264
DrB0b
DrB0b
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
373
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
136
DrB0b
DrB0b
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
99
mikehook
mikehook

Part and Inventory Search

Sponsor

Back
Top