RE: IOS SSLVPN AND ACTIVE DIRECTORY from Joseph L. Brunner on 2010-11-14 (Ccielab archives 11/2010)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Sun, 14 Nov 2010 18:18:09 -0500

I really suggest you read the tech docs on this technology if you are going to be deploying it and supporting it...

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a0080720346.shtml

WHY WOULDN'T YOU READ IT?

How do you learn things?

Who is paying you if you are not willing to even take basic steps to improve your knowledge of this basic technology?

If you did read it,

You would see this command under the SSL VPN group policy

max-users 25

Now regarding QOS for SSL VPN users;

The best approach for this is to implement a wred and cbwfq policy for all traffic and make use qos policies that effectively insure low latency traffic (i.e. voice) work regardless of what someone is pushing over their sslvpn connection.

Additionally, You if you want the entire ssl vpn process to be limited out of an interface, I would simply make a car policy (i.e. rate-limit commands) and match and acl where the source of the traffic is the webvpn-ip and the destination is any). But you will have to play with this, as I cant recall how rate-limit works on traffic FROM the router.

-Joe

-----Original Message-----
From: Beauty [mailto:fordownloadsccie_at_gmail.com]
Sent: Sunday, November 14, 2010 2:52 PM
To: Joseph L. Brunner
Cc: ccielab_at_groupstudy.com
Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY

Is there a way to limit bandwidth and number of users utilizing the
sslvpn connection , i am thinking QOS policing inbound , is dat a
valid solution and does anyone have other ideas

On 11/12/10, Beauty <fordownloadsccie_at_gmail.com> wrote:
> Thanks a lot Joe , its very clear now
>
> On 11/12/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
>> Block using devices like usb flash hd's, external hd, etc.
>>
>> -----Original Message-----
>> From: Beauty [mailto:fordownloadsccie_at_gmail.com]
>> Sent: Friday, November 12, 2010 10:58 AM
>> To: Joseph L. Brunner
>> Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY
>>
>> please can you explain what you mean by "file" access , i am quite
>> new in the cisco security world.
>>
>> so pardon my ignorance.
>>
>> On 11/12/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
>>> Yes you can disabled "file" access!
>>>
>>> http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7b.shtml#II1
>>>
>>> "Captain, I'm detecting much win in this sector"
>>>
>>>
>>> -Joe
>>>
>>> -----Original Message-----
>>> From: Beauty [mailto:fordownloadsccie_at_gmail.com]
>>> Sent: Friday, November 12, 2010 10:37 AM
>>> To: Joseph L. Brunner
>>> Cc: ccielab_at_groupstudy.com
>>> Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY
>>>
>>> Thanks Joe for the response ,
>>> Thanks for also laughing at my ignorance ,
>>> Also i want to know if the cisco secure desktop also prevents users
>>> from storing info accessed over the vpn on external devices like flash
>>> drives, external HDD , cd roms etc , if not is there any cisco or
>>> network solution for this.
>>>
>>>
>>>
>>> On 11/12/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
>>>> LOL,
>>>>
>>>> Yeah quite easily;
>>>>
>>>> Simply configure the standard radius groups you always configure and
>>>> expose
>>>> AD via radius in IAS in 2003 AD, or NPS in 2008
>>>>
>>>>
>>>> aaa authentication login msftad group radius
>>>>
>>>> aaa authorization network msftad group radius
>>>>
>>>> radius-server host 10.110.20.10 auth-port 1645 acct-port 1646 key 7
>>>> 0991430B2A5411001
>>>>
>>>> webvpn gateway somegw
>>>> webvpn context some-context
>>>> policy group some-policy
>>>> default-group-policy some-policy
>>>> aaa authentication list msftad
>>>> aaa authorization list msftad
>>>> gateway somegw
>>>>
>>>> then on AD setup the IAS/NPS (here is some notes for windows 2008
>>>> server's
>>>> Network Policy Server (NPS)
>>>>
>>>> http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3
>>>>
>>>> -Joe
>>>>
>>>> -----Original Message-----
>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>>> Beauty
>>>> Sent: Friday, November 12, 2010 10:07 AM
>>>> To: ccielab_at_groupstudy.com
>>>> Subject: OT: IOS SSLVPN AND ACTIVE DIRECTORY
>>>>
>>>> Hi All,
>>>> Is it possible to configure IOS sslvpn to authenticate users against
>>>> active directory , if yes can anyone provide suitable links.
>>>>
>>>> --
>>>> Warm Regards ,
>>>> Beauty
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Warm Regards ,
>>> Beauty
>>>
>>
>>
>> --
>> Warm Regards ,
>> Beauty
>>
>
>
> --
> Warm Regards ,
> Beauty
>

-- 
Warm Regards ,
Beauty
Blogs and organic groups at http://www.ccie.net

Received on Sun Nov 14 2010 - 18:18:09 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART