[c-nsp] WebVPN via RADIUS - how to identify by group?

LaPorte, David david_laporte at harvard.edu
Fri Sep 5 08:23:54 EDT 2008


You could pass the group as a realm to the RADIUS server by having the
users log in as USER at GROUP.  The RADIUS server could authenticate them
and return a Class="OU=GROUP;" attribute to map them properly.

You could also provide a group list to the user:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

I prefer not to do this since it could make enumeration attacks a bit
easier, but it has it's place.

hope that helps,
Dave

Ben Steele wrote:
> Howdy all,
> 
>  
> 
> Anyone know if it's possible to get as ASA to spit out the group name in an
> av-pair via radius when authenticating a user? (in this case webvpn).
> 
>  
> 
> The issue i'm having is multiple clients on the one ASA authenticating via
> IAS/AD and the possibility of overlapping usernames between clients(groups),
> I need another identifier from the ASA to auth them against other than
> user/pass, ie group would be perfect.
> 
>  
> 
> Any ideas?
> 
>  
> 
> Cheers
> 
>  
> 
> Ben
> 
>  
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
-----------------------------------------------
Email: david_laporte at harvard.edu
  PGP: 0x4DC3E508
       4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508



More information about the cisco-nsp mailing list