[c-nsp] WebVPN via RADIUS - how to identify by group?
LaPorte, David
david_laporte at harvard.edu
Fri Sep 5 08:23:54 EDT 2008
You could pass the group as a realm to the RADIUS server by having the
users log in as USER at GROUP. The RADIUS server could authenticate them
and return a Class="OU=GROUP;" attribute to map them properly.
You could also provide a group list to the user:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
I prefer not to do this since it could make enumeration attacks a bit
easier, but it has it's place.
hope that helps,
Dave
Ben Steele wrote:
> Howdy all,
>
>
>
> Anyone know if it's possible to get as ASA to spit out the group name in an
> av-pair via radius when authenticating a user? (in this case webvpn).
>
>
>
> The issue i'm having is multiple clients on the one ASA authenticating via
> IAS/AD and the possibility of overlapping usernames between clients(groups),
> I need another identifier from the ASA to auth them against other than
> user/pass, ie group would be perfect.
>
>
>
> Any ideas?
>
>
>
> Cheers
>
>
>
> Ben
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
-----------------------------------------------
Email: david_laporte at harvard.edu
PGP: 0x4DC3E508
4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508
More information about the cisco-nsp
mailing list