User based ACLs

[qwasd]

Hi.
I would like to PPTP to a PIX 515. I would like to grant access to the internal network based on who connected. For example, userA may go to File server. UserB may use Database.
It looks like it can be done using RADIUS (e.g. acl=eng). Has anyone done it? Can you give any hints?
Is it all-or-none access? If you have a valid password, it is all yours?

Thanks.

 

[iiiiss]

HI !

You can do it with "no sysopt connection permit-ipsec" and then use access-lists to permit access to the speficied destinations !

Hope that helps



Best regards

 

[qwasd]

How do I differentiate on the from side? How do I define userA and UserB?

 

[iiiiss]

You can differentiate them by htere ip address !

You can use crypto map entries fr that and you can specify the username and the password with vpngroups ...

Try searching in this forum, there were several threads for this issue..


Best regards

Have fun

 

[qwasd]

Thanks for the reply.

>>You can differentiate them by htere ip address !
Anyone can be connecting from anywhere. Before they connect, I do not know what IP they will have. When they connect to the VPN, I am assigning IP addresses. Once they connect, how do I assign UserA a specific IP address?

>>You can use crypto map entries fr that and you can >>specify the username and the password with vpngroups ...
That brings up another point. What is the difference between VPDN group and vpngroup? Is it that the first is for PPTP and the second for the Cisco VPN client? I would like to use PPTP not the Cisco VPN client software.
Does VPDN group support more than 1 group (e.g. vpdn group 1..., vpdn group 2...)? (Again, how would I differntiate to the PIX which one it should be using? The username command does not tie a name to a specific group.)

>>Try searching in this forum, there were several threads >>for this issue..
Believe me, I have searched everywhere! I am working on this for weeks. I have come across postings that people are using acl= as a RADIUS reply attribute. I have tried contacting people, so far with no luck. I do remember a single post that although Cisco says it works, it does not. I do not know the specifics. There was an issue prior to 6.1 with the format of the reply.


>>Best regards

>>Have fun
I'm not anymore :-(

Thanks again.

 

[yizhar]

HI.

> What is the difference between VPDN group and vpngroup?
> Is it that the first is for PPTP and the second for the
> Cisco VPN client
Yes.

> I would like to use PPTP not the Cisco VPN client software
The Cisco VPN client has several advantages, one of them is the option for dual authentication (groupname/password, and then username/password) which is more dificult to hack.

> I have come across postings that people are using acl= as a RADIUS reply attribute.
I think that this is the way to go, but I never did try it.
You might also need to use "aaa authorization" in some way with it, but I never actualy tried it also.

Some other options that you can use:

***
If you have 2 types of incoming VPN clients, 1 type with many users that need limitted access, and 2nd type with few users that need more access, then you can go with this combination:
Use one type of VPN (PPTP) for the first group and limit the access with access-list. Use a different kind of VPN (Cisco IPSec) for the second group with different ip pool and different access-list.

***
You can terminate the VPN tunnels with an MS VPN (RRAS) server - this may give you more options to control the traffic or give ip address to specific users.
If you can dedicate a server for this and place it in a dedicated PIX interface this is best to give you the needed control.
This can also be done with the Cisco VPN concentrator (3xxx) which can give you more options as a dedicated VPN device.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[qwasd]

A step closer!

I was able to use acl=<access-list> using virtual telnet, aaa authentication, and RADIUS. What I have now is:
1 - If I come in with PPTP using vpdn client authentication LOCAL and vpdn username, then PPTP works and uauth is not being used (show uauth shows nothing). (I am not 100% sure of this first statement.)

2- If I come in with PPTP using vpdn client authentication radius, then PPTP works and uauth IS being used (show uauth shows login name), but no acl is listed under show uauth.

3 - If I do not use PPTP, and just telnet to the virtual telnet, then uauth IS being used, and an acl is listed under show uauth!

4 - If I do 2 and then 3, then when I telnet, it disconnects me from uauth because the telnet reverses the current status. I you are not logged in, it logs you in. If you are logged in, it logs you out. Here I was logged in from step 2, so when I do step 3, it logs me out. That breaks the PPTP connection so I am totally disconnected.

5 - If I do 3 and then 2, then there are 2 uauth entries. The first is my real IP address, and the 2nd is the VPN one. The VPN one does not use the acl assigned to the real IP address. (It sees me as being logged in twice from 2 different addresses.)

I would like to use step 3 to get fine grained access control. I would like to use step 2 for encryption. (IPSec should work the same as in step 2, no better or worse.) It looks like (not tested) I can use step 1 and step 3 and it would work. What I do not like about it is that I have to have 2 password databases (PIX config and RADIUS), and the PIX one is cleartext. I would rather let people set their own password (preferrably in a single place) and the administrator does not have to know it.

Any ideas on how I can go further?

Thanks.

 

[yizhar]

HI.

> If I do 2 and then 3, then when I telnet, it disconnects me from uauth ...
I would try cut-through proxy authentication instead of virtual telnet.
Something like this:
* Use option 2 for VPN authentication. (vpdn client authentication radius).
* Define a restrictive access-list for VPN clients that will block their network access.
* Use &quot;aaa authentication&quot; and &quot;aaa authorization&quot; commands to apply AAA on traffic from VPN clients ip range to internal network.
* The client will need to initiate a telnet or http session to an internal server, and then the pix will prompt for authentication.

I think that you need different RADIUS configuration for this.
The radius server should send the actual access-list commands like &quot;permit tcp any host ...&quot; and the pix will add these to the existing access-list from the configuration.
I don't know how to do that with MS IAS.
Maybe it will also work with &quot;acl=&quot; - let us know.
I didn't try neither yet.

I suggest that you first practice AAA on normal - not VPN traffic, and only after you get it working adding the VPN complexity should be simple.

Another option to try is &quot;virtual http&quot; instead of &quot;virtual telnet&quot;. Same idea here, but maybe this will not log you out?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[qwasd]

Thanks.

>I would try cut-through proxy authentication instead of >virtual telnet.
>Something like this:
>* Use option 2 for VPN authentication. (vpdn client >authentication radius).
>* Define a restrictive access-list for VPN clients that >will block their network access.
>* Use &quot;aaa authentication&quot; and &quot;aaa authorization&quot; >commands to apply AAA on traffic from VPN clients ip range >to internal network.
>* The client will need to initiate a telnet or http >session to an internal server, and then the pix will >prompt for authentication.

In step 2, I am not sure if you mean a general access list or one per user.
My problem is that per user does not get applied when logging in through VPN. For aaa authentication I think I need the access list to let it through and aaa just restricts it that it must pass aaa in addition to the access list in order to pass.

>I think that you need different RADIUS configuration for >this.
>The radius server should send the actual access-list >commands like &quot;permit tcp any host ...&quot; and the pix will >add these to the existing access-list from the >configuration.
>I don't know how to do that with MS IAS.
>Maybe it will also work with &quot;acl=&quot; - let us know.
>I didn't try neither yet.

It looks like either should work. I can test, although it is a little harder because I do not even have show uauth to guide me. I have to test traffic.

>I suggest that you first practice AAA on normal - not VPN >traffic, and only after you get it working adding the VPN >complexity should be simple.

AAA, I finally got working. With the VPN though uauth is done, but without the access list and as mentioned, I am having trouble getting the access list there while keeping the VPN alive.

>Another option to try is &quot;virtual http&quot; instead >of &quot;virtual telnet&quot;. Same idea here, but maybe this will >not log you out?

I think either virtual will work the same.
Using a real telnet will probably just be allowed without prompting for authentication because the uauth was done already for this IP address. (Show uauth has it listed because of the VPN.)

So, I have some testing to do... on a live firewall.

 

[yizhar]

HI.

>* Define a restrictive access-list for VPN clients that >will block their network access.

> In step 2, I am not sure if you mean a general access list or one per user.

I mean a general access-list.

Please let us learn from your experience.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar