02-06-2007 04:16 AM - edited 03-10-2019 02:58 PM
Hi,
I'm trying to setup ASA5520 with Radius to authenticate users with group
privileges.
Useing Radius with ASA to authenticate users is quite simple. When I try
to pass from asa tunnel-group name (with group-policy and attributes
attached) there is a problem that ASA dosn't pass any group name to
radius.
Is there any way to overcome it?
What I want to do is to apply different policies to username depending
with what tunnel-group name he logs in to webvpn. I assume one user may
be member of different groups.
br
Marcin
02-12-2007 06:33 AM
The issue is the tunnel group name must be the IP address of the remote peer.
For example
tunnel-group 172.20.77.10 type ipsec-l2l
tunnel-group 172.20.77.10 ipsec-attributes
02-12-2007 06:36 AM
I'm trying to pass this in webvpn, not ipsec tunnel. Do You know if this is possible?
05-22-2007 07:04 AM
It's possible.
Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
Long winded, I know...any questions, please ask.
06-06-2007 08:31 AM
I ran into a problem with ASA 7.0(6) because with that version you cannot specify an IP address pool in the group policy (only in the tunnel group). So, if the default tunnel-group does not have an IP pool assign to it, the client cannot get an IP address. With Version 7.2(2), you can assign an IP pool in both the Group Policy and the Tunnel-Group so you can assign a specific IP pool based on the attribute 25 received from the radius server.
06-07-2007 08:16 PM
astroman,
You advice is really helpful! but I have a doubt on "Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group"
We shall define a group policy for a tunnel group. If we do not specify the default group policy for the default WebVPN tunnel group, is it harmless to specify one of the user-defined group policies? Or will it better to create a dummy group policies for this?
06-08-2007 02:28 AM
I apologize if I was unclear...
Yes, you'll have to keep the default webvpn group policy when the default webvpn tunnel-group is built.
I have some other recommendations as far as keeping the default webvpn group locked down tightly via ACS, that I'll post about in a little while.
Any other questions, please let us know...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide