You are on page 1of 6

Controlling Network Access for SSL VPN Users

Overview
The SSL VPN Configuration will use (2) Cisco ASA 8X Appliances to terminate SSL Sessions and provide VPN Load Balancing. SSL Group Policies and Access Control Lists will be maintained on the ASA Appliances. The Cisco Secure ACS 5.2 Server will provide Radius authentication for SSL VPN Users and assign an SSL Group Policy based on the ACS Userss Identity Group. All User Accounts will be maintained on ACS.

Public
https://web.acme.com https://12.34.56.78

Private

12.34.56.79

172.20.140.12

Internet

VPN LB IP

ASA1
Corp LAN

12.34.56.81

3845 AC

SSL VPN User

12.34.56.80

ASA2

172.20.140.13

172.20.140.251

ASA Access-List Configuration


The Access Control List will determine which subnets or hosts the SSL Group Policy is permitted to access. Only the traffic permitted below will be VPN encapsulated.
access-list SSL-ACL3 remark ACME - WEB TRAFFIC access-list SSL-ACL3 standard permit host 12.34.56.78

ASA SSL Group Policy Configuration


SSL Group Policies will be configured for Split Tunneling. This will encapsulate corporate traffic and leave non-corporate traffic to traverse the Internet normally.
group-policy SSL-POLICY3 internal group-policy SSL-POLICY3 attributes vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SSL-ACL3 webvpn homepage value https://web.acme.com anyconnect keep-installer installed anyconnect ssl rekey time 30 anyconnect ssl rekey method ssl anyconnect ask none default anyconnect
Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

Page 1 of 6

ACS Identity Group


In ACS, Users are assigned to an Identity Group. For our SSL VPN Users, we will create a Group that combines users with similar network access requirements. The Group names are internal only and will not be seen by SSL Users. Create the new Identity Group and select Submit. Select User and Identity Stores > Identity Groups

Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

Page 2 of 6

ACS Users
Create your new User Accounts and assign these to the desired Identity Group. The Enable Password is not needed unless this user will perform Cisco Device Administration. Select User and Identity Stores > Users

Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

Page 3 of 6

ACS Authorization Profiles


The Network Access level for SSL VPN Users is defined using ACS Authorization Profiles. Each Profile can contain multiple attributes to customize access. In the Ivans SSL VPN Configuration, we will create an Authorization Profile for each SSL User Group in ACS and match access for these to the corresponding SSL Group Policy on the ASA. Select the Create button below to establish a new Authorization Profile. Select Policy Elements > Authorization Profiles

Name the Authorization Profile and select Submit.

Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

Page 4 of 6

Select the new Policy and select the Radius Attributes Tab. Click the select Button next to the Radius Attribute Field.

Within each Profile we will use the Radius Attribute Class (ID 25) to match the SSL Group Policy previously configured on the ASA. Select the Radio button for the Class Attribute and click OK.

Set the Attribute value to OU=VPN Group Policy Name. In this example, we use OU=SSL-POLICY3. Click Add and Submit.

Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

Page 5 of 6

ACS Access Policies


The Network Access Policy applies the Authorization Profiles to the SSL VPN User Group (Identity Group). When SSL Users login, they will be granted access based on the Access Policies in thier assigned Identity Group. Select Access Policies > Authorization

Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

Page 6 of 6

You might also like