[c-nsp] ACS and ASA VPN user authentication

mcgrath at fas.harvard.edu mcgrath at fas.harvard.edu
Wed Aug 29 08:24:00 EDT 2007 

Sounds like you have a significant security issue here.

 IF you have a PKI you can issue machine certificates and check them during the XAUTH phase.   So even if the user manages to transfer a .pcf to a unauthorized device the machine cert will be invalid and the XAUTH will fail.    You could use the concentrator's client update feature to push a new pcf with the certificate features enabled and email all authorized users machine certs in PEM format along with instructions on how to import the certs into the client cert store.

alternatively youu could enable group locking but in that case you will need to pass the authorized group as part of the RADIUS transaction.  

-----Original Message-----

From:  "Brett Looney" <brett at looney.id.au>
Subj:  [c-nsp] ACS and ASA VPN user authentication
Date:  Wed Aug 29, 2007 2:05
Size:  1K
To:  <cisco-nsp at puck.nether.net>

Greets,

Background: When connecting to an ASA using the Cisco VPN client you've got
to build a connection entry (stored as a PCF file) that includes the VPN
group name and VPN group shared key. PCF files can be migrated from one
machine to another.

We have an issue where a tech-savvy user has taken a copy of a PCF file and
put it on a new laptop. Consequently, he can connect to an existing VPN
group (that lots of other users connect to) and get access to things he
shouldn't be able to.

However, we want to let this user still connect to the ASA but using a
different VPN group. But we have no way of forcing him to do this. We can't
disable his account for this reason. And we can't change the group key
because that would affect lots of users, some in remote locations that we
can't get to.

The root cause here is that in ACS I can't find any way of limiting a user
(or group for that matter) to a particular VPN Group. The ASA doesn't appear
to pass that attribute to the ACS and I can't find any attribute in the list
of TACACS+ attribute-value pairs that would do this.

So, is there a way I can do this with ASA and ACS? I want to lock a
particular user (or group) to a VPN group and not let them connect any other
way.

More information:

We're using ACS for Windows 3.3 (but can upgrade if necessary) and
authenticating via TACACS+.
We're running ASA code version 7.2.2.

Any ideas? Does this even make sense? TIA.

B.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

--- message truncated ---

More information about the cisco-nsp mailing list