How to Protect Campus Sensitive Servers - Solution

["Di Fabio, Andrea" <adifabio () NSU EDU>]

I received a lot of requests to share our Dynamic Split tunnel
configuration, so I am just going to post it to the group.
I remember doing this 3 or 4 years ago, and looking back at the ASA
configuration, there is nothing special in the actual ASA configuration,
besides multiple VPN Group Policies.

So let's say you create 2 group policies:

VPN_Faculty
VPN_Staff

As you know each one can have its own DHCP pool, split tunnel (called
network list), ACL, etc.

What you want to do, is to create Radius mappings for users.  We did this
based on AD groups, and assigned the following Radius Attribute for each
Radius Policy:

For users matching faculty groups in AD/Radius

Attribute Name: Class
Attribute Number: 25
Attribute Format: OctetString
Value: OU=VPN_Faculty;

For users Matching Staff groups in AD/Radius

Attribute Name: Class
Attribute Number: 25
Attribute Format: OctetString
Value: OU=VPN_Staff;

Etc.

Note that the value must match the VPN group policy and the string is case
sensitive and it REQUIRES the SEMICOLON at the end or it won't work.

I did a quick Google search and I found the following document:
http://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html
which seems to explain it better than what I may have done.

I hope this helps.

Andrea Di Fabio
Information Security Officer
High Performance Computing Technology Coordinator
Norfolk State University
Office of Information Technology
Marie V. McDemmond Center for Applied Research, Rm 401F
555 Park Avenue, Suite 401
Norfolk, Virginia 23504
757-823-2896 Office
757-823-2128 Fax

Attachment: smime.p7s
Description: