The cisco ASA allows for ACLs; that are group specific or user specific. User specific ACLs, over-rides any group specific entries.
Take the user "user1", we want to allow him access to all host via ssh, but not host 10.99.90.17. So crafting a user specific ACL, and applying that to the username will accomplish this task.
Here's the config;
show run username user1
username user1 password xaI3t+nY5wjYQ2thSKJfoQ== nt-encrypted
username user1 attributes
vpn-group-policy MANAGEMENT
vpn-filter value user1ac
memberof MGT
So upon access and success authentication, the acl name user1ac, will control his access.
show run access-list user1ac
access-list user1ac extended deny tcp any host 10.99.90.17 eq ssh
access-list user1ac extended permit tcp any any eq ssh
Okay so let's test this out;
(ssh to 10.99.90.17 );
airjordan:~ kfelix$ ssh 10.99.90.17
ssh: connect to host 10.99.90.17 port 22: Operation timed out
Now let's ssh to another host;
( ssh to host 10.99.90.1)
airjordan:~ kfelix$
airjordan:~ kfelix$ ssh 10.99.90.1
Password:
CSW1_2960>
Okay now, let's apply the same thing, but now to the vpn-group directly;
group-policy MANAGEMENT attributes
dns-server value 8.8.4.4 8.8.8.8
vpn-filter value user1ac
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tun-managementonly
default-domain value socpuppets.com
user-authentication enable
So now you have seen 2 way to restrict users. VPN groups allows you to execute group specific ACLs or user specific.
NOTE: If you make changes to the group-policy, user-attribute or the access-list, it will not take place till after the user has disconnect and re-authenticate.
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment