[c-nsp] WebVPN via RADIUS - how to identify by group?

Ben Steele ben.steele at internode.on.net
Fri Sep 5 20:41:33 EDT 2008 

Problem with the group selection method is via a debug radius I don't see it
send any attribute about the group to RADIUS(I did try this way at first)
and therefore I can't get RADIUS to match on a group as well as user/pass,
the username at realm might be an option, have you tried this before by sending
back a group attribute to the ASA from RADIUS and it actually acknowledging
it and putting the WEBVPN user into that group?.

Cheers

Ben

-----Original Message-----
From: LaPorte, David [mailto:david_laporte at harvard.edu] 
Sent: Friday, 5 September 2008 9:54 PM
To: Ben Steele
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group?

You could pass the group as a realm to the RADIUS server by having the
users log in as USER at GROUP.  The RADIUS server could authenticate them
and return a Class="OU=GROUP;" attribute to map them properly.

You could also provide a group list to the user:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a00808bd83d.shtml

I prefer not to do this since it could make enumeration attacks a bit
easier, but it has it's place.

hope that helps,
Dave

Ben Steele wrote:
> Howdy all,
> 
>  
> 
> Anyone know if it's possible to get as ASA to spit out the group name in
an
> av-pair via radius when authenticating a user? (in this case webvpn).
> 
>  
> 
> The issue i'm having is multiple clients on the one ASA authenticating via
> IAS/AD and the possibility of overlapping usernames between
clients(groups),
> I need another identifier from the ASA to auth them against other than
> user/pass, ie group would be perfect.
> 
>  
> 
> Any ideas?
> 
>  
> 
> Cheers
> 
>  
> 
> Ben
> 
>  
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
-----------------------------------------------
Email: david_laporte at harvard.edu
  PGP: 0x4DC3E508
       4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508

More information about the cisco-nsp mailing list