RE: IOS SSLVPN AND ACTIVE DIRECTORY

And if you don't need the clientless SSL function, AnyConnect Essentials (for ASA) is a cheap alternative that will max out your SSL client capabilities.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Joseph L. Brunner
Sent: Monday, November 15, 2010 4:52 AM
To: Beauty
Cc: ccielab_at_groupstudy.com
Subject: RE: IOS SSLVPN AND ACTIVE DIRECTORY

I'm not trying to be a jerk- the world is much harder than most people are willing to accept;

"The Emperor is not as forgiving as I am"

Good luck in your studies;

I would seriously recommend switching to an ASA FW if this SSL VPN is going to support a serious network;

-Joe

-----Original Message-----
From: Beauty [mailto:fordownloadsccie_at_gmail.com]
Sent: Monday, November 15, 2010 4:48 AM
To: Joseph L. Brunner
Cc: ccielab_at_groupstudy.com
Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY

Thanks Joe you have been extremely helpful , you are right i should to read more on it and i will , i just needed answers quick.

You have been really helpful even though at times i was tempted to call you a jerk :) but i am at your mercy since i need the help :)

On 11/15/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
> I really suggest you read the tech docs on this technology if you are
> going to be deploying it and supporting it...
>
> http://www.cisco.com/en/US/products/ps6496/products_configuration_exam
> ple09186a0080720346.shtml
>
> WHY WOULDN'T YOU READ IT?
>
> How do you learn things?
>
> Who is paying you if you are not willing to even take basic steps to
> improve your knowledge of this basic technology?
>
> If you did read it,
>
> You would see this command under the SSL VPN group policy
>
> max-users 25
>
>
> Now regarding QOS for SSL VPN users;
>
> The best approach for this is to implement a wred and cbwfq policy for
> all traffic and make use qos policies that effectively insure low
> latency traffic (i.e. voice) work regardless of what someone is
> pushing over their sslvpn connection.
>
> Additionally, You if you want the entire ssl vpn process to be limited
> out of an interface, I would simply make a car policy (i.e. rate-limit
> commands) and match and acl where the source of the traffic is the
> webvpn-ip and the destination is any). But you will have to play with
> this, as I cant recall how rate-limit works on traffic FROM the router.
>
> -Joe
>
>
>
>
>
> -----Original Message-----
> From: Beauty [mailto:fordownloadsccie_at_gmail.com]
> Sent: Sunday, November 14, 2010 2:52 PM
> To: Joseph L. Brunner
> Cc: ccielab_at_groupstudy.com
> Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY
>
> Is there a way to limit bandwidth and number of users utilizing the
> sslvpn connection , i am thinking QOS policing inbound , is dat a
> valid solution and does anyone have other ideas
>
> On 11/12/10, Beauty <fordownloadsccie_at_gmail.com> wrote:
>> Thanks a lot Joe , its very clear now
>>
>> On 11/12/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
>>> Block using devices like usb flash hd's, external hd, etc.
>>>
>>> -----Original Message-----
>>> From: Beauty [mailto:fordownloadsccie_at_gmail.com]
>>> Sent: Friday, November 12, 2010 10:58 AM
>>> To: Joseph L. Brunner
>>> Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY
>>>
>>> please can you explain what you mean by "file" access , i am quite
>>> new in the cisco security world.
>>>
>>> so pardon my ignorance.
>>>
>>> On 11/12/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
>>>> Yes you can disabled "file" access!
>>>>
>>>> http://www.cisco.com/en/US/products/ps6496/products_configuration_e
>>>> xample09186a008072aa7b.shtml#II1
>>>>
>>>> "Captain, I'm detecting much win in this sector"
>>>>
>>>>
>>>> -Joe
>>>>
>>>> -----Original Message-----
>>>> From: Beauty [mailto:fordownloadsccie_at_gmail.com]
>>>> Sent: Friday, November 12, 2010 10:37 AM
>>>> To: Joseph L. Brunner
>>>> Cc: ccielab_at_groupstudy.com
>>>> Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY
>>>>
>>>> Thanks Joe for the response ,
>>>> Thanks for also laughing at my ignorance , Also i want to know if
>>>> the cisco secure desktop also prevents users from storing info
>>>> accessed over the vpn on external devices like flash drives,
>>>> external HDD , cd roms etc , if not is there any cisco or network
>>>> solution for this.
>>>>
>>>>
>>>>
>>>> On 11/12/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
>>>>> LOL,
>>>>>
>>>>> Yeah quite easily;
>>>>>
>>>>> Simply configure the standard radius groups you always configure
>>>>> and expose AD via radius in IAS in 2003 AD, or NPS in 2008
>>>>>
>>>>>
>>>>> aaa authentication login msftad group radius
>>>>>
>>>>> aaa authorization network msftad group radius
>>>>>
>>>>> radius-server host 10.110.20.10 auth-port 1645 acct-port 1646 key
>>>>> 7
>>>>> 0991430B2A5411001
>>>>>
>>>>> webvpn gateway somegw
>>>>> webvpn context some-context
>>>>> policy group some-policy
>>>>> default-group-policy some-policy
>>>>> aaa authentication list msftad
>>>>> aaa authorization list msftad
>>>>> gateway somegw
>>>>>
>>>>> then on AD setup the IAS/NPS (here is some notes for windows 2008
>>>>> server's Network Policy Server (NPS)
>>>>>
>>>>> http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/
>>>>> bfbbbae4-a280-4b3f-b214-02867b7d33e3
>>>>>
>>>>> -Joe
>>>>>
>>>>> -----Original Message-----
>>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>>>>> Behalf Of Beauty
>>>>> Sent: Friday, November 12, 2010 10:07 AM
>>>>> To: ccielab_at_groupstudy.com
>>>>> Subject: OT: IOS SSLVPN AND ACTIVE DIRECTORY
>>>>>
>>>>> Hi All,
>>>>> Is it possible to configure IOS sslvpn to authenticate users
>>>>> against active directory , if yes can anyone provide suitable links.
>>>>>
>>>>> --
>>>>> Warm Regards ,
>>>>> Beauty
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> __________________________________________________________________
>>>>> _____ Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Warm Regards ,
>>>> Beauty
>>>>
>>>
>>>
>>> --
>>> Warm Regards ,
>>> Beauty
>>>
>>
>>
>> --
>> Warm Regards ,
>> Beauty
>>
>
>
> --
> Warm Regards ,
> Beauty
>

--
Warm Regards ,
Beauty
Blogs and organic groups at http://www.ccie.net