ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

Similar Messages

• ASA WebVPN - restrict access to users in an AD group via ACS

  Hi folks.
  I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
  Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
  Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
  I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

  Try using the following to tie users to certain group policies:
  Using a RADIUS Server
  Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
  Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
  policy.
  Step 2 Set the class attribute to the group policy name in the format OU=group_name
  For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
  of OU=SSL_VPN; (Do not omit the semicolon.)

• How do you restrict access to custom applications?

  When I create portlets, there is usually an associated "admin" functionality that needs to be created for each custom application. An example is a shopping cart that we just created, we needed admins to be able to go in and upload photos.
  The way that I do this is I create a new portlet "Shopping Cart Admin" and restrict access to it that way. However, because I usually add everything in the /remoteserver/shoppingcart/. folder to the gateway space (its too painful to add one by one), this means that I can't put admin.aspx in that folder. So I usually end up creating a NEW folder /remoteserver/shoppingcartadmin/ for the admin portlet.
  Long story short, its a lot of work. I know that I could try to use activity rights, but those seem very global. How do you control edit access to your custom portlets?

  Well, there are a few different ways to go about it. You could add a preferences page with the admin functionality, and then an admin would just have to click the little pencil in the portlet titlebar. No admin/edit access, no little pencil.
  I have often set the visibility of an ASPX control directly from activity rights, in OnPageLoad, if it isn't postback time. The activity rights should be inherited by the user, through the user's group. Best practise is to create empty groups called Roles, add activity rights to the Roles, and then have the actual groups (that contain users) inherit from one or more Roles.
  You already knew that part, I added it for the others. My personal definition of a portlet is 'polymorphous instance of a web service'.
  So:
  Role: Store Manager (has Edit Shopping Cart activity right)
  ^
  Group: Store Managers (has Store Manager parent group)
  User: Vladimir (inherits Edit Shopping Cart activity right)

• HT2729 How do I restrict access to a library? Can I use password?

  I am using Apple TV. I have 2 libraries with different video content. I want to restrict access to 1 of these libraries. How do I do this?

  Any file on YOUR desktop already has permissions set such that no other user account can access. But if you want to use the OS's native capability to encrypt the contents of a folder, place that folder within an encrypted image.
  Use Disk Utility to create a disk image, and encrypt it with the same utility (use settings in "new image") . Make sure you size the image to a size great enough to hold all your files. Once created, and placed on your desktop, open it, using your password. Once the image is mounted, place the files you want to protect into that image, and then dismount/eject the image. The image essentially becomes your password encrypted folder. Double click it at any time to access your files (enter password). Eject the mounted image to "re-encrypt".
  If you want a disk image that has cross platform capability, then try TrueCrypt. It is  great App for Mac & Windows, with other advantages as well.

• Smb: how do you log access & disconnect users?

  I've always relied on AFP for file sharing, but since it seems like that's kind of on the way out and SMB is the new way to do things, I've been trying that out instead. A few questions though...
  Where are the access logs? I'm looking for the equivalent of the AppleFileServiceAccess.log that I see in the Console, that shows timestamps with IPs for opening & deleting files, etc. (Maybe logging has to be enabled with some seperate step that's not in the Server app GUI, or the log isn't called something obvious?)
  How do you force a user to disconnect? (Remote users sometimes drop connections, so they're really not connected anymore but the server still shows the connection. For AFP users, I can use the Disconnect button to remove these ghosts, but when I try to use that button on an SMB connection I just get a message saying it only works for AFP. So... do the ghosts just pile up and you're supposed to ignore them, or do you have to restart the server, etc.?)

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• How do you restrict access to certain apps via the use of Time Restrictions?

  Is there anyway to limit the use of certain apps to a time period of the day? I know the time restrictions on this site ONLY pertain to texting and calls, but not email or any other app, such as Twitter or Facebook, etc.

  Well, there are a few different ways to go about it. You could add a preferences page with the admin functionality, and then an admin would just have to click the little pencil in the portlet titlebar. No admin/edit access, no little pencil.
  I have often set the visibility of an ASPX control directly from activity rights, in OnPageLoad, if it isn't postback time. The activity rights should be inherited by the user, through the user's group. Best practise is to create empty groups called Roles, add activity rights to the Roles, and then have the actual groups (that contain users) inherit from one or more Roles.
  You already knew that part, I added it for the others. My personal definition of a portlet is 'polymorphous instance of a web service'.
  So:
  Role: Store Manager (has Edit Shopping Cart activity right)
  ^
  Group: Store Managers (has Store Manager parent group)
  User: Vladimir (inherits Edit Shopping Cart activity right)

• How do you restrict access to a business process structure in Solution Mngr

  We have set up a business process structure in Solution Manager that includes Finance to Manage and Hire to Retire.
  Although it is Ok for people to display the documentation in each area, we do have the requirement that the people owning Finance to Manage should not able to change the documentation in Hire to Retire and visa versa. Is there a security object that restrict this access? Are there other ways doing this?
  Thanks
  Paul

  I am not a security person, but we have the following details in the profile. You can change these if you click on these areas changing it to display or change mode
  SAP Solution Manager Tab AI_SA_TAB
  --> SAP Solution Manager Tab 
      ---> Activity 02, 90
      ---> Tab in SAP Solution Manager BCSETS, CONFIG, CUSTDOCU, GRAPHIC, IMG, ISSUE, (ETC.)
  > Transaction Type in SAP Solution Manager  1
  Hope this helps
  Paul

• How do you restrict access of a pdf to one user at a time?

  I need to put pdf's on a shared work server so that users can make their own individual comments on them, and so collate all corrections for me to then pick up in one pdf.
  Question is, can I restrict the pdf in some way that prevents it from opening if another user has it open and is in the process of making their comments on it?
  Thanks

  That's not a good way to do that. You should look into Acrobat's Shared
  Review features.

• How do I restrict access so users can only visit certain sites?

  At work we are setting up a laptop in order to do only one thing - use one particular website. I'd like to make sure nobody can visit any other sites.

  Your secure computer has a piece of unpleasant software - My Web Search. Remove any signs of it in Add-ons>Extensions and Plug-ins. Also check in Add/Remove Programs(Programs and Features in Win7). Also make sure you don't have any entries for Fun Web Products.
  You are showing Fx3.5.8. If that is so, it is high time you updated. Chances are, though, that My Web Search has frozen your User Agent String.
  Google for further information but don't accept advice from people behind these products. You can also look in the Search Firefox Help box above.

• SSH login- how do I restrict access to a shared folder?

  I have created Shares in WGM for SMB and AFP access on my OS X 10.4.8 Server. However when I connect via SSH it's not restricting access to the folder based on the User Name I login with- I see the entire volume! How do I restrict access to a specific folder based on a user name setup in WGM? ACL's?

  Hey George,
  It sounds like you are trying to limit ssh/sftp users to a specific area, aka jails. The FTP server lets you 'chroot' users to a certain area making it appear as the root thus preventing them from navigating up the hierarchy, which is what I think you, and me and many others are trying to accomplish.
  The ssh compiled into OS X is missing this very needed feature. There have been a few documented workarounds, but they've either been too insecure or too clunky for me.
  I've dealt with the fact that my users can get to the root of the hard drive, and have just been very careful about my privileges (by using ACLs), thus preventing them from getting inside areas they shouldn't.
  There's a good write up here: http://www.schwie.com/brad/macosxsftpchroot/ and if you include the term 'chroot' in your searches, you should find a bit about it here too.
  And Roger, I think George meant the file sharing protocol used by ssh. man sftp.

• How can I restrict access to add. internal hard drive by account?

  Hello! Okay, so I am my computer's administrator, and I have a secondary 'guest' account that anyone else can use. So, I know that all my data on my main, OS hard drive is secure from the guest account accessing it, but what about the additional hard drive that I have installed?
  I have a good deal of sensitive data and files stored (and aliased) on my second internal drive that I do not care for 'guest' users to stumble upon. How can I restrict access to the secondary storage hard drive from my Guest login account, and/or just plain hide it from it? Surely, there is a need for this that has brought about a solution. Any tips/advice/solutions?
  Thanks!!!
  =)

  Click here and follow the instructions followed by placing the folders and files on the image; if the password is in the keychain, it will be supplied whenever you're logged in.
  (41018)

• How do you get access to window?

  When you do a typical System.out.print-whatever it prints a stream of text onto that default java window which popped up when you executed your program. My question is, how do you get access to this particular window, so you can resize it, clear it, or put text in specific locations instead of at the end of a buffer... any tips will be appreciated. thanks

  hmm so there is no way to do anything special to that dos-like window except append text to it? Is there a way at least to remove text from it? (sorta like printing dots and then removing them?)

• How do i restrict access to gambling sites

  how do i restrict access to gambling sites on ipad mini

  You can put a filter on your wifi or use something like the K9 browser.

• How do you authorize access to itunes while blocking the access of the rest of the computer?

  How do you authorize access to itunes while blocking the access of the rest of the computer? I want to do a party and let people have access to the music but  I don't want them to look in my files. I have windows 7.
  I cannot log off and let the music play. Ideally I would want to have a password for access to the rest of the computer.
  Thank you!

  The following may help with the file sharing issues: OS X Mavericks: Share your files

• How do you gain access to all files on different users?

  How do you gain access to all files and folders for each user?

  http://forums.whirlpool.net.au/archive/718273