Educause Security Discussion mailing list archives
How to Protect Campus Sensitive Servers - Solution
From: "Di Fabio, Andrea" <adifabio () NSU EDU>
Date: Fri, 5 Feb 2010 09:19:51 -0500
I received a lot of requests to share our Dynamic Split tunnel configuration, so I am just going to post it to the group. I remember doing this 3 or 4 years ago, and looking back at the ASA configuration, there is nothing special in the actual ASA configuration, besides multiple VPN Group Policies. So let's say you create 2 group policies: VPN_Faculty VPN_Staff As you know each one can have its own DHCP pool, split tunnel (called network list), ACL, etc. What you want to do, is to create Radius mappings for users. We did this based on AD groups, and assigned the following Radius Attribute for each Radius Policy: For users matching faculty groups in AD/Radius Attribute Name: Class Attribute Number: 25 Attribute Format: OctetString Value: OU=VPN_Faculty; For users Matching Staff groups in AD/Radius Attribute Name: Class Attribute Number: 25 Attribute Format: OctetString Value: OU=VPN_Staff; Etc. Note that the value must match the VPN group policy and the string is case sensitive and it REQUIRES the SEMICOLON at the end or it won't work. I did a quick Google search and I found the following document: http://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html which seems to explain it better than what I may have done. I hope this helps. Andrea Di Fabio Information Security Officer High Performance Computing Technology Coordinator Norfolk State University Office of Information Technology Marie V. McDemmond Center for Applied Research, Rm 401F 555 Park Avenue, Suite 401 Norfolk, Virginia 23504 757-823-2896 Office 757-823-2128 Fax
Attachment:
smime.p7s
Description:
Current thread:
- How to Protect Campus Sensitive Servers - Solution Di Fabio, Andrea (Feb 05)
- <Possible follow-ups>
- Re: How to Protect Campus Sensitive Servers - Solution schilling (Feb 05)
- Re: How to Protect Campus Sensitive Servers - Solution schilling (Feb 05)