NAR restriction for remote access clients

Hello

just a question how to limit access to users for some NAS servers remotely.

We have an AAA ACS2.6 servers and several 3640 based NAS server for remote user access. Users are gathered in a group to the ACS.

We have another group, called ISP. The user in this group can use the internet anywhere in the world, they must dial the local number of the given ISP NAS and all the NAS-you pass the authentication request to our CSA. So we can centrally manage direct RAS users and Internet users.

The problem is that a user to a certain group can use the other dialin facility since all dialin appemps will be authenticated on the same server.

How can I limit that an ISP group cannot use the SNS outside the company and that he can not numbering at our dedicated RAS server? And RAD regulars cannot use the internet (which is given to the users of the ISP)

I applied filters in the ACS on the group settings, but could find no ducuments how configure it exactly. Any help appreciated,

Kind regards

Balázs

Balázs,

Thanks for sharing your experience. I'm sure that it would be useful for others. Yes, browser is a problem for any management software ;-)

Thanks again,

Renault

Tags: Cisco Security

Similar Questions

  • ASA 5510 VPN for remote access clients are asked to authenticate on box

    Don't know what's the matter, but my remote access users are invited to join the ASA before connecting to the tunnel. How can I disable this? Config is attached. Thank you all -

    For remote access connections, you can turn off the prompt xauth (user/pass) with the following:

    Tunnel ipsec-attributes group

    ISAKMP ikev1-user authentication no

    -heather

  • Certificate self-signed for remote VPN CLIENT access

    Hi people,

    I am trying to achieve two-factor authentication, first with RADIUS & 2nd with self-signed certificate. If I generated of self-signed certificate & trying to import this certificate but error 39 that occur. Only obstacle that authenticate with certificate. I saw some documents for separate setting certifcate servers (CA) & then to import in the clients but I m curious about a certificate automatically generated can be used to authenticate the remote access client.

    ASA additional server failover mode is Local CA is not supported. Is there a way to support local CA.

    Thank you

    Are you talking about using self-signed client certificates? I guess that it will not work. At least it is not scalable. You must use an internal CA for this task. As the local certification authority cannot be used with failover, you can take a Windows Server 2 k 3 or 2 k 8. Another option is to use a router IOS as CA-server. But what take something else as a second factor? I'm a big fan of the use of smartphones with the www.duosecurity.com service.

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Crossed between the remote access client to a remote site at a Site in Tunnel

    Here's the scenario: users access remote vpn in ASA5510 with the tunneling split. The ASA has a tunnel from one site to another site. Vpn remote access users must be able to come and then go back devices on this tunnel from site to site. Is it still possible? Most of what I see on crossed is internet access when not to use the tunneling split.

    Thank you!

    You can do this job.  First of all, you should make sure that the command "permit same-security-traffic intra-interface" is configured.  You will then want to update your remote access ACL to include accessible subnets via the split tunneling L2L tunnel.  In this way, customers will receive a static route routing traffic through the tunnel for remote access.  The ACL crypto for the L2L tunnel shall include either a specific or analytical entry to the pool of the VPN client to destination subnets.  The corresponding crypto ACL on the far side of the tunnel L2L will need to be updated with a mirror reverse configuration of hub.  Finally, if you have configured on the NAT ASA, you will need to include a rule of exemption for the pool of VPN client-> remote subnet traffic flow.

  • How to use ACS 5.2 to create a static ip address user for remote access VPN

    Hi all

    I have the problem. Please help me.

    Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do.

    I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this:

    1Ajouter step to attribute a static IP address to the user attribute dictionary internal:

    Step 2select System Administration > Configuration > dictionaries > identity > internal users.

    Step 3click create.

    Static IP attribute by step 4Ajouter.

    5selectionnez users and identity of the stage stores > internal identity stores > users.

    6Click step create.

    Step 7Edit static IP attribute of the user.

    I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted.

    so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please.

    Wait for you answer, no question right or not, please answer, thank you.

    There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached

  • AnyConnect 3.0 supports IPSec VPN for remote access?

    Hello world

    I've read about Cisco AnyConnect 3.0 issues that it supports IPSec VPN for remote access:

    http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html

    I downloaded and installed the Client AnyConnect Secure Mobility Client 3.0.0629, but I'm not able to get the IPSec VPN works. Also, it has no option to use the previous of Cisco IPSec VPN client PCF files.

    Can someone point me in the right direction to get IPSec VPN AnyConnect 3.0 work?

    Thank you in advance!

    Hello

    Takes AnyConnect support IPSEC from version 3.0, but only in combination with IKEv2.

    There is no option to use a CPF file with it and the config should be pushed through a profile Anyconnect.

    More information on this:

    http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect30/Administration/Guide/ac02asaconfig.html#wp1325361

    You should also change the ASA config so that it accepts negotiations IKE v2:

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_ike.html#wp1144572

    Kind regards

    Nicolas

  • Remote access client 2.0.1 for Mac OS 10.4.11 connection to the remote server running Windows Server 2008 R2

    I have a mac with OS 10.4.11 and I try to access a remote server running Windows Server 2008 R2.  I have installed, uninstall and reinstall the Client of remote access for Mac 2.0.1 but I can not connect.  My network administrator tells me that Mac OS 10.4.11 is so old and useless that I am better just throw my computer and buy a new one in order to solve the problem.  This is absurd.  Can you help me?

    Hi Benjamin Spicer,.

    Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for Windows Server on TechNet. Please post your question in the Forums TechNet Remote Desktop Services (Terminal Server Services).

  • How to configure VPN 3000 Concentrator for remote access

    I have inherited a VPN concentrator and want to configure it to provide remote access to my internal laboratory network when I'm traveling.  Private interface is configured as 192.168.1.240/24.  Public interface is configured as one of my public IP addresses.  I have a public IP pool on the back side of a cable modem Roadrunner.  I created a pool of addresses for clients such as 192.168.1.200 by 192.168.1.205.  I created all group configurations, group and user base.

    In the IP Routing tab, I see a default route pointing to my IP address of public gateway - the IP address of my box of roadrunner cable modem gateway.

    Since my VPN client, I am able to connect to the VPN concentrator.  I get an address from the pool and check the details of the tunnel under the statistics section shows IP address correct pool for the customer and the correct public IP address of my VPN reorga

    Jeff,

    According to statistics, it seems that the client sends traffic to the hub, but his answer not get back.

    We need check the hub settings itself.

    I need check the hub settings and that it is a GUI based device so I can't even ask to see the technology and the only option available is to WebEx.

    You're ok with webex, pls lemme session comfortable time id and e-mail to send the invitation, it takes no more time and we will carry it out

    Thank you

    Ankur

  • alternatives to LogMeIn Pro for remote access?

    Greetings.  Currently, we have systems in the United States, Switzerland and the Mexico that I supported via remote access using LogMeIn Pro.  We paid for a subscription before free LMI Pro has been abandoned even to appreciate the characteristics of LMI Pro.  But as LMI has eliminated this free service, it seems their subscription rate more than doubled each year.  We currently need remote access to 3 Macs and 2 units of Windows (ew).

    Last year, we paid $174. for the annual subscription in support of these 5 systems.  I just checked on the price of renewal and it shows $349.00 for renewal.  This is getting too expensive!

    Last year, I invested in ARD to support my mother MacBook and the MacBook from an old friend, rather than pay LMI for a subscription in support of these systems.  ARD was a good alternative for these systems, but it is not a realistic alternative to remote systems for charity I help support.  Partly because of the PC, also because what it requires port forwarding in the router and finally because I have to be at my computer to use ARD to access those other systems.  LMI offers the possibility to access systems through an iOS app and can be used by other members of the team of charity, anywhere in the world everyone is physically located.  That's why we have maintained the LMI Pro subscriptions for a number of years.

    But with the perennial increase rate of LMI ridiculous (I think they can take their pricing of Obamacare), I'm on my eternal quest for an alternative to remote access.

    Can anyone offer advice?

    Thank you very much for your review,

    Dee Dee in Florida

    There are:

    -Apple Back to My Mac

    Set up and use Back to My Mac - Apple Support

    -Team Viewer free for non-commercial and paid for commercial use.

    -GoToMyPC, it also works with Mac

  • How many group Supportepar ASA 5520 vpn for remote access

    Hello

    Howmany vpn group is supported on asa 5520 with configuraion vpn remote access.

    Concerning

    1 if nat-control is disabled and you do not have any other order NAT in your config file, you do not have it. Try to remove the existing "NAT 0" command and "clear xlate."

    2. you must ensure that your network inside know they can go by ASA to access remote vpn client IP. You have any device layer 3 behind the ASA that does the routing. If so, please verify that this is the routing table.

  • Reverse road injection for remote VPN Clients

    Hello world

    you will need to confirm if reverse road injection is used only for Site to site VPN?

    Also to say that we have two sites using site-to-site vpn

    Site A                                                         Site B

    Private private IP IP

    172.16.x.x                                                    172.20.x.x

    Now, as we VPN site to site, we can either activate the NAT - T option which will allow 172.16 IP reach site B as 172.16 only.

    Do not change the IP address.

    Option 2

    IF we don't allow NAT - T and if we allow injection road Revese and we use say Protocol ospf on ASAs in site A and B.

    In this case, we allow IPPS so that we can announce the private road 172.16. on the internet right of site B?

    Concerning

    MAhesh

    Hello Mahesh,

    "Reverse road injection (RRI) is used to fill in the routing table of an internal router that is running OSPF Open Shortest Path First () protocol or the RIP (Routing Information) protocol for Remote Clients VPN sessions or a local area network LAN."

    Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

    As a result, allowed RRI ASA learn routing information for connected peers and advertising via RIP or OSPF.

    NAT - T is automatically detected and used when the local or the remote peer is behind NAT.

    To answer your question:

    If NAT - T is required and enabled, then it will automatically be used peer VPN. Then, with IPP in place, remote network will be added to the routing as static routes table, so they can be advertised by OSPF.

    HTH.

    Please note all useful messages.

  • Server ezvpn 887 router for remote access

    Hello.

    I'm having a problem with the implementation of remote access using easyvpn server on a router 887.  I followed the tutorials and also used Assistant cisco configuration professional easyvpn server to the configuration but still having a problem.

    I see, but Phase 1 finished, Phase 2 will fail with the following error...

    09:43:26.515 Oct 10: ISAKMP: (2003): check IPSec proposal 8

    09:43:26.515 Oct 10: ISAKMP: turn 1, ESP_AES

    09:43:26.515 Oct 10: ISAKMP: attributes of transformation:

    09:43:26.515 Oct 10: ISAKMP: authenticator is HMAC-SHA

    09:43:26.515 Oct 10: ISAKMP: key length is 128

    09:43:26.515 Oct 10: ISAKMP: program is 1 (Tunnel)

    09:43:26.515 Oct 10: ISAKMP: type of life in seconds

    09:43:26.515 Oct 10: ISAKMP: service life of SA (IPV) 0x0 0 x 20 0xC4 0x9B

    09:43:26.515 Oct 10: ISAKMP: (2003): atts are acceptable.

    09:43:26.515 Oct 10: IPSEC (validate_proposal_request): part #1 the proposal

    09:43:26.515 Oct 10: IPSEC (validate_proposal_request): part #1 of the proposal

    (Eng. msg key.) Local INCOMING = 88.xx.xxx.174:0, distance = 80.177.185.185:0,.

    local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

    remote_proxy = 192.168.21.12/255.255.255.255/0/0 (type = 1),

    Protocol = ESP, transform = NONE (Tunnel),

    lifedur = 0 and 0kb in

    SPI = 0 x 0 (0), id_conn = 0, keysize = 128, flags = 0 x 0

    09:43:26.515 Oct 10: map_db_find_best found no corresponding card

    09:43:26.515 Oct 10: IPSEC (ipsec_process_proposal): proxy unsupported identities

    09:43:26.515 Oct 10: ISAKMP: (2003): IPSec policy invalidated proposal with error 32

    'Proxy unsupported identities' research indicates a NAT problem maybe, but I don't see where this would be.  In my view, the problem is elsewhere.

    I use the VPN Client 5.0.07.0440 and using transparent tunneling IPSec (on TCP/10000) that the client is located behind a firewall/NAT device.

    Does anyone know what may be the issue?  Attached full config.

    Hello Mick

    Before that, one more try. .

    Remote control the pfs as follows

    Profile of crypto ipsec RemoteAccess

    no set pfs group2

    Remove and add the virtual model crypto back

    type of interface virtual-Template1 tunnel

    No ipsec protection RemoteAccess tunnel profile

    Profile of tunnel RemoteAccess ipsec protection

    I hope this will solve your problem

    Henin,

  • Hyperion Financial Reporting of ports for remote access

    Hello
    Can I know what are the ports should I open to allow remote access to the server Hyperion Financial Reporting for reporting via Hyperion Financial Reporting Studio home pc?


    Thank you

    You could also have a read of http://john-goodwin.blogspot.co.uk/2013/02/financial-reporting-studio-firewall-fun.html

    See you soon

    John
    http://John-Goodwin.blogspot.com/

  • authentication 802. 1 x on cisco VPN for remote access

    I'm on dial-up VPN (mobile VPN) on cisco ASA5510, now, I want to authenticate remote users via Microsoft IAS (Radius Standard) service. However, I couldn't get through the via protocol PEAP authentication process, and it seems that it only supports PAP that isn't safe.

    Any suggestion on how to implement PEAP over VPN remote access?

    Thank you

    Hello

    Glance atv http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

    It may be useful.

    Best regards.

    Massimiliano.

  • How can I assign the static fixed IP for remote access VPN users

    Hi team,

    I have a requirement to assign a fixed static IP users VPN remote access in ASA, please help how I can achice this

    Thanks in advance
    Mikael

    username user1 attributes

    VPN-framed-ip-address 10.200.115.78 255.255.0.0

Maybe you are looking for

  • Adding shortcuts in the atmosphere of the IPad

    I already have an answer to that question appears resolved because I didn't know that I had to push to be 'resolved' or 'useful' which I felt neither one applied when I replied to the response of the user AJ397. But by default chooses resolved FOR yo

  • CM1312 dark print color photos

    I have a brand new nfi HP CM1312... connected via USB and two PC network running family vista premium and latest driver from hp.com the photocopier and scanner produce likeness of good quality of the original in color or black and white. but when you

  • Re-install XP Pro on a new computer, my 'old' is dead...

    I need to know if I can re - install the copy of XP Pro that I bought my laptop and have re-activated through Microsoft. The original computer I had my XP installed on died.

  • HP Officejet 6700 Premium: HP Officejet 6700 Premium - Wireless scanning problem

    We cannot get the scan wireless to work. Everything works fine when we connect with USB cable. Any suggestions? -J' use Mac OS X 10.10 Yosemite. -J' tried to reset/upgrade to firmware update. -J' tried to reset the printers Mac, delete, add again. -I

  • No 'send using' blackBerry smartphones the choice when you reply to the no emails

    I have three e-mail address accounts pushed to my BB 9900 under BIS handset. On my old laptop 9700 I could choose answer an email coming from one account other than the one to which it was sent. When I clicked the dropdown at the top of the screen to