[c-nsp] WebVPN via RADIUS - how to identify by group?
LaPorte, David
david_laporte at harvard.edu
Fri Sep 5 22:36:17 EDT 2008
We're doing exactly that, although with Radiator vs IAS.
Dave
Ben Steele wrote:
> Problem with the group selection method is via a debug radius I don't see it
> send any attribute about the group to RADIUS(I did try this way at first)
> and therefore I can't get RADIUS to match on a group as well as user/pass,
> the username at realm might be an option, have you tried this before by sending
> back a group attribute to the ASA from RADIUS and it actually acknowledging
> it and putting the WEBVPN user into that group?.
>
> Cheers
>
> Ben
>
> -----Original Message-----
> From: LaPorte, David [mailto:david_laporte at harvard.edu]
> Sent: Friday, 5 September 2008 9:54 PM
> To: Ben Steele
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
>
> You could pass the group as a realm to the RADIUS server by having the
> users log in as USER at GROUP. The RADIUS server could authenticate them
> and return a Class="OU=GROUP;" attribute to map them properly.
>
> You could also provide a group list to the user:
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
> 86a00808bd83d.shtml
>
> I prefer not to do this since it could make enumeration attacks a bit
> easier, but it has it's place.
>
> hope that helps,
> Dave
>
> Ben Steele wrote:
>> Howdy all,
>>
>>
>>
>> Anyone know if it's possible to get as ASA to spit out the group name in
> an
>> av-pair via radius when authenticating a user? (in this case webvpn).
>>
>>
>>
>> The issue i'm having is multiple clients on the one ASA authenticating via
>> IAS/AD and the possibility of overlapping usernames between
> clients(groups),
>> I need another identifier from the ASA to auth them against other than
>> user/pass, ie group would be perfect.
>>
>>
>>
>> Any ideas?
>>
>>
>>
>> Cheers
>>
>>
>>
>> Ben
More information about the cisco-nsp
mailing list