hi vivek, i am successfully able to authenticate thrgh acs, and clients are also geting the ip address from the acs ip pool defined.. the problem is i was trying to push mode cfg attributes like ipsec:firewall=0, ipsec:pfs=1 etc.. thrgh cisco avpair radius attributes..but its nt happening

Hi,

Can you put in your config here ?

Regards,

Vivek

hi below is the desired config related to aaa on pix..

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

access-list nonat extended permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list nonat

aaa-server Radius protocol radius

aaa-server Radius (inside) host 192.168.10.10

key xxxxxx

tunnel-group ciscovpn type ipsec-ra

tunnel-group ciscovpn general-attributes

authentication-server-group Radius

authentication-server-group (inside) Radius

authorization-server-group Radius

tunnel-group ciscovpn ipsec-attributes

pre-shared-key *

Hi,

Since you haven't given any group-policy config, I am assuming you haven't configured any external group policy on the ASA.

See the following link :-

http://www.cisco.com/en/US/products/ps6121/products_configuration_guide_chapter09186a00806a81e3.html#wp1133706

Once you have configured an external group on PIX, you can push required attributes from the ACS.

HTH.

Regards,

Vivek

hi vivek , i had also tried that i had made one external group with name guest_group and a password of guest.. i mapped it into my tunnel-group. now in acs vpn users belong to guest_group only, in that i defined these cisco av pair attributes:

vpngroup Password = "guest", Service-Type = Outbound

ipsec:firewall=1

ipsec:include-local-lan=1

Hi,

You would need to push attributes like client firewall, Split Tunneling Policy etc using attributes available under the RADIUS (VPN 3000/asa/pix 7.x+)

You can find all attributes under Interface configuration->RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)

So instead of using cisco av-pair (026/009/001) you need to use pre defined attributes like 026/3076/001.

Regards,

Vivek

yeah thanks , for ur reply i found in the guide that for older versions of acs other than 4.0 , we have to push vpn conc attributes.. this is not applied for acs 4.0..

I am facing almost the same problem.

I need to authenticate my remote clients to ASA through ACS.

remote vpn is working fine using the local username, but authentication through ACS is not working with me.

I have added my asa as an aaa client in the ACS.

and my configs in the asa :

aaa-server vpn protocol tacacs+

aaa-server vpn host x.x.x.x

key ****

tunnel-group RemoteTunnel general-attributes

authentication-server-group (inside) Radius

authorization-server-group Radius

any dieas?

hi u have to attach external group policy to the tunnel group for doing the external acs authentication .. and the grp name shld be the username on the acs , bcz acs sees it as a username being to be the authenticated...

can you send an example?

Hi,

External authentication does not require an external group. External group is required when you want to push group policies from the Radius Server.

We can have an internal group forward auth request to the Radius server.

You need to change your config as follows :-

aaa-server vpn protocol radius

aaa-server vpn host x.x.x.x

tunnel-group RemoteTunnel general-attributes

authentication-server-group vpn

Make sure that you have added the ASA as a aaa client in ACS and set it to authenticate using RADIUS.

HTH

Regards,

Vivek

yeah he is right,,,for external authentication we need only to attach aaa server to the tunnel group..if we want to push some attributes to the client then we need to to do the above.. srry i thght that u want to have authorization also..

Please go on about the authorization on the pix. I have a group ACS group DEB that I mapped to an NT group DEB. I can authenticate to a pix using through VPN, if I am assigned that NT group, but I can also authenticate if I am not part of the DEB group using the same DEB.pcf. I was hoping that the group mapping would be my solution, but that is not the case.

Elaborate a tad on the authorization setup on a pix please.

Thank you

Dwane