ASA - logging via radius with group name passed.

Unanswered Question
Feb 6th, 2007


I'm trying to setup ASA5520 with Radius to authenticate users with group


Useing Radius with ASA to authenticate users is quite simple. When I try

to pass from asa tunnel-group name (with group-policy and attributes

attached) there is a problem that ASA dosn't pass any group name to


Is there any way to overcome it?

What I want to do is to apply different policies to username depending

with what tunnel-group name he logs in to webvpn. I assume one user may

be member of different groups.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
fmeetz Mon, 02/12/2007 - 06:33

The issue is the tunnel group name must be the IP address of the remote peer.

For example

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

marcin.mazurek Mon, 02/12/2007 - 06:36

I'm trying to pass this in webvpn, not ipsec tunnel. Do You know if this is possible?

astroman Tue, 05/22/2007 - 07:04

It's possible.

Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.

Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.

Long winded, I know...any questions, please ask.

ydemissie Wed, 06/06/2007 - 08:31

I ran into a problem with ASA 7.0(6) because with that version you cannot specify an IP address pool in the group policy (only in the tunnel group). So, if the default tunnel-group does not have an IP pool assign to it, the client cannot get an IP address. With Version 7.2(2), you can assign an IP pool in both the Group Policy and the Tunnel-Group so you can assign a specific IP pool based on the attribute 25 received from the radius server.


You advice is really helpful! but I have a doubt on "Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group"

We shall define a group policy for a tunnel group. If we do not specify the default group policy for the default WebVPN tunnel group, is it harmless to specify one of the user-defined group policies? Or will it better to create a dummy group policies for this?

astroman Fri, 06/08/2007 - 02:28

I apologize if I was unclear...

Yes, you'll have to keep the default webvpn group policy when the default webvpn tunnel-group is built.

I have some other recommendations as far as keeping the default webvpn group locked down tightly via ACS, that I'll post about in a little while.

Any other questions, please let us know...


This Discussion