[c-nsp] WebVPN via RADIUS - how to identify by group?

Stuart Lowes Stuart_Lowes at coffey.com
Sat Sep 6 00:39:40 EDT 2008


Ben Steele wrote:
> Problem with the group selection method is via a debug radius I don't see it
> send any attribute about the group to RADIUS(I did try this way at first)
> and therefore I can't get RADIUS to match on a group as well as user/pass,
> the username at realm might be an option, have you tried this before by sending
> back a group attribute to the ASA from RADIUS and it actually acknowledging
> it and putting the WEBVPN user into that group?.

Ben,

If you have two group policies setup on your ASA, "GroupPolicy1" and "GroupPolicy2", you can set the RADIUS "Class" attribute to OU=GroupPolicy1 or OU=GroupPolicy2.

In IAS setup two policies, matching AD Security Group "Group1" and "Group2" respectively. Members of Group1 are assigned OU=GroupPolicy1, and Group2 gets OU=GroupPolicy2. The text after OU= then matches the name of the ASA's group policy exactly and will assign that Group Policy to the VPN user's session.

If you now also have two Tunnel Groups, "TunnelGroup1" and "TunnelGroup2" on the ASA, you can use the "group-lock xxx" command to lock TunnelGroup1 to GroupPolicy1 and TunnelGroup2 to GroupPolicy2. If a user who is a member of Group1 tries to use the TunnelGroup2 VPN profile, they will get rejected when the ASA compares the OU=GroupPolicy1 (assigned to user by IAS) with the GroupPolicy2 value expected by TunnelGroup2.


Cheers


Stuart



Environmental Notice: Please consider the environment before printing this
email.<br><br>

Confidentiality Notice: The content of this message and any attachments
may be privileged, in confidence or sensitive. Any unauthorised use is
expressly prohibited. If you have received this email in error please
notify the sender, disregard and then delete the email. This email may
have been corrupted or interfered with. Coffey International Limited
cannot guarantee that the message you receive is the same as the message
we sent.  At Coffey International Limited's discretion we may send a
paper copy for confirmation. In the event of any discrepancy between
paper and electronic versions the paper version is to take precedence.
No warranty is made that this email and its contents are free from
computer viruses or other defects.

<br><br>CILDISCL0005



More information about the cisco-nsp mailing list