LTLnetworker | IT hálózatok, biztonság, Cisco

               IT networks, security, Cisco

Archive for the ‘remote access’ Category

Using Cisco ISE as a generic RADIUS server

Posted by ltlnetworker on August 31, 2014

Cisco ISE is an identity-based policy server featuring a wide range of functions from RADIUS CLI authentication to workstation posturing. With just a base license it includes a full-featured RADIUS server and it is capable of performing trivial RADIUS tasks which would not require such a sophisticated product themselves. For the functions described in this article Cisco Secure ACS could have been commonly chosen some years earlier. ISE’s policy logic and web interface is quite different.

The following use cases are described:

Posted in AAA, ASA, Cisco, IPsec, ISE, remote access, router IOS, switch | Tagged: , , , | 8 Comments »

Smart tunnels on Cisco ASA

Posted by ltlnetworker on January 17, 2014

Sometimes we have to provide secure remote access for users whose computers we don’t have any influence at all on. These computers don’t have AnyConnect or Cisco VPN client and the users may not have administrator rights so browser-based AnyConnect installation is not an option either. We can set up a WebVPN portal for such users on Cisco ASA with the clientless SSL VPN feature.

Clientless SSL VPN provides a web portal with various services such as intenal websites, CIFS links, Outlook Web Access etc. which are all accessed via the browser. The ASA software provides HTTPS service to the client and proxies the internal server’s material. The SSL core rewriter (or content rewriter) does application proxying therefore not all websites are guaranteed to work properly. For example, as of 9.1(3) the ASA software does not support Microsoft Sharepoint 2013 portal and some tricky content is not displayed. Read the rest of this entry »

Posted in ASA, Cisco, remote access | Tagged: , | 2 Comments »

IOS Easy VPN Server with LDAP authentication

Posted by ltlnetworker on November 9, 2010

LDAP support for authentication and authorization was introduced in IOS 15.1(1)T.  In this article we are testing Cisco VPN client connection authenticated against Novell NetWare eDirectory.

Structure of the LDAP directory:
Read the rest of this entry »

Posted in AAA, Cisco, IPsec, remote access, router IOS | Tagged: , | Leave a Comment »

IOS Easy VPN with RADIUS, Cisco Secure ACS 5.1 and AAA cache

Posted by ltlnetworker on May 10, 2010

AAA Authorization and Authentication Cache was integrated in IOS 15.0(1)M. This feature enables the router to store AAA credentials in its cache after it received the RADIUS or TACACS+ reply to an AAA request. The cache can be used either for performance boost (avoiding sending requests to the AAA server) or for a fallback method in case the servers are unreachable. The mode depends on the order you place your authentication methods in the aaa commands (see below).

In this example we are caching TACACS admin users’ credentials (telnet, vty) and RADIUS VPN users’ credentials (IKE xauth). The VPN group is also defined on the RADIUS server.

Read the rest of this entry »

Posted in ACS, Cisco, IPsec, remote access, router IOS | Tagged: , , , , | 2 Comments »

Local user group-lock in IOS Easy VPN

Posted by ltlnetworker on May 7, 2010

Cisco router IOS Easy VPN Server

Group-Lock feature can also be used with local users, we can even create something like ‘local user groups’. Possible formats are:

name/group, name\group, name@group, or name%group
Read the rest of this entry »

Posted in AAA, Cisco, IPsec, remote access, router IOS | Tagged: , , | Leave a Comment »