Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
816
Views
4
Helpful
6
Replies

ASA - logging via radius with group name passed.

marcin.mazurek
Level 1
Level 1

‎02-06-2007 04:16 AM - edited ‎03-10-2019 02:58 PM

Hi,

I'm trying to setup ASA5520 with Radius to authenticate users with group

privileges.

Useing Radius with ASA to authenticate users is quite simple. When I try

to pass from asa tunnel-group name (with group-policy and attributes

attached) there is a problem that ASA dosn't pass any group name to

radius.

Is there any way to overcome it?

What I want to do is to apply different policies to username depending

with what tunnel-group name he logs in to webvpn. I assume one user may

be member of different groups.

br

Marcin

Labels:
0 Helpful
6 Replies 6

fmeetz
Level 4
Level 4

‎02-12-2007 06:33 AM

The issue is the tunnel group name must be the IP address of the remote peer.

For example

tunnel-group 172.20.77.10 type ipsec-l2l

tunnel-group 172.20.77.10 ipsec-attributes

0 Helpful

marcin.mazurek
Level 1
Level 1
In response to fmeetz

‎02-12-2007 06:36 AM

I'm trying to pass this in webvpn, not ipsec tunnel. Do You know if this is possible?

0 Helpful

astroman
Level 1
Level 1
In response to marcin.mazurek

‎05-22-2007 07:04 AM

It's possible.

Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.

Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.

Long winded, I know...any questions, please ask.

ydemissie
Level 1
Level 1
In response to astroman

‎06-06-2007 08:31 AM

I ran into a problem with ASA 7.0(6) because with that version you cannot specify an IP address pool in the group policy (only in the tunnel group). So, if the default tunnel-group does not have an IP pool assign to it, the client cannot get an IP address. With Version 7.2(2), you can assign an IP pool in both the Group Policy and the Tunnel-Group so you can assign a specific IP pool based on the attribute 25 received from the radius server.

0 Helpful

xnym
Level 1
Level 1
In response to astroman

‎06-07-2007 08:16 PM

astroman,

You advice is really helpful! but I have a doubt on "Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group"

We shall define a group policy for a tunnel group. If we do not specify the default group policy for the default WebVPN tunnel group, is it harmless to specify one of the user-defined group policies? Or will it better to create a dummy group policies for this?

0 Helpful

astroman
Level 1
Level 1
In response to xnym

‎06-08-2007 02:28 AM

I apologize if I was unclear...

Yes, you'll have to keep the default webvpn group policy when the default webvpn tunnel-group is built.

I have some other recommendations as far as keeping the default webvpn group locked down tightly via ACS, that I'll post about in a little while.

Any other questions, please let us know...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents