[c-nsp] ASA VPN groups... pointer/howto/cookbook?

Ryan West rwest at zyedge.com
Wed Sep 28 15:59:07 EDT 2011


On Wed, Sep 28, 2011 at 14:05:51, Jeff Kell wrote:
> Subject: [c-nsp] ASA VPN groups... pointer/howto/cookbook?
> 
> I have been running standard VPN client profiles for VPN access for 
> quite a few years, on PIX and now on ASA.  I'm working on our next 
> generation prototype now, and the number of VPN groups are growing a 
> bit out of hand.
> 
> Up to this point we have been distributing groups/roles by providing a 
> suitable .pcf connection profile with the VPN client to each user.  
> The .pcf contains the group name and preshared key (yes, admittedly 
> not that secure).
> 
> The current scheme is working fine, just getting a bit out of hand 
> with the growing number of groups and necessity of distributing the .pcf files.
> 
> It would be "nicer" if the client simply connected to the VPN server, 
> authenticated (we are using TACACS+, but I also have a working Active 
> Directory profile for a more general-purpose group), and had the 
> appropriate group supplied by TACACS+ (or AD).
> 
> It would be even nicer still if the client could connect either 
> split-tunnel (from home or a secure location) or full-tunnel (to 
> encrypt everything, if on a hotspot or WiFi for example).  Currently 
> this is done with two .pcf files (and two corresponding groups on the ASA).
> 
> There are a dizzying number of possibilities and methods outlined in 
> the documentation, but I was hoping for a more direct approach to 
> accomplishing this goal.
> 
> Pointers?  References?  Suggestions?  (I would RTFM if it weren't so 
> F'ing huge :)  )
> 

I'm not sure what licensing model you currently have for AnyConnect, but with some premium licenses you could run CSD combined with DAP to apply policies for company owned vs. public computers.  DAP can also leverage LDAP attributes from AD to provide different levels of access based on AD group or department membership.   The main negative point with DAP is being locked into ASDM to make future changes.  

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1169923

-ryan




More information about the cisco-nsp mailing list