Educause Security Discussion mailing list archives

Re: How to Protect Campus Sensitive Servers - Solution

From: schilling <schilling2006 () GMAIL COM>
Date: Fri, 5 Feb 2010 09:49:04 -0500

Hi All,

There once a white paper called Cisco ASA LDAP Integration Use Cases
on 6200networks.com(now available as other site, either hijacked or
registered by somebody else) run by Cisco employee Joe Harris.  There
are use cases about group mapping. I still had a hard copy of the
white paper, but could not find a e-copy. If someone had it, please
share with the group.

Shiling Ding
Information Technology Services
Florida State University

On Fri, Feb 5, 2010 at 9:19 AM, Di Fabio, Andrea <adifabio () nsu edu> wrote:

I received a lot of requests to share our Dynamic Split tunnel
configuration, so I am just going to post it to the group.
I remember doing this 3 or 4 years ago, and looking back at the ASA
configuration, there is nothing special in the actual ASA configuration,
besides multiple VPN Group Policies.

So let's say you create 2 group policies:

VPN_Faculty
VPN_Staff

As you know each one can have its own DHCP pool, split tunnel (called
network list), ACL, etc.

What you want to do, is to create Radius mappings for users.  We did this
based on AD groups, and assigned the following Radius Attribute for each
Radius Policy:

For users matching faculty groups in AD/Radius

Attribute Name: Class
Attribute Number: 25
Attribute Format: OctetString
Value: OU=VPN_Faculty;

For users Matching Staff groups in AD/Radius

Attribute Name: Class
Attribute Number: 25
Attribute Format: OctetString
Value: OU=VPN_Staff;

Etc.

Note that the value must match the VPN group policy and the string is case
sensitive and it REQUIRES the SEMICOLON at the end or it won't work.

I did a quick Google search and I found the following document:
http://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html
which seems to explain it better than what I may have done.

I hope this helps.

Andrea Di Fabio
Information Security Officer
High Performance Computing Technology Coordinator
Norfolk State University
Office of Information Technology
Marie V. McDemmond Center for Applied Research, Rm 401F
555 Park Avenue, Suite 401
Norfolk, Virginia 23504
757-823-2896 Office
757-823-2128 Fax

Current thread:

How to Protect Campus Sensitive Servers - Solution Di Fabio, Andrea (Feb 05)
- <Possible follow-ups>
- Re: How to Protect Campus Sensitive Servers - Solution schilling (Feb 05)
- Re: How to Protect Campus Sensitive Servers - Solution schilling (Feb 05)