webvpn, group-lock, radius authentication and group-name

netops · ‎04-06-2007

We have a pair of 5520's and have just enabled the webvpn. What we would like to do is use radius (Class attribute OU=groupname) to lock a user to their vpn group when one connects and successfully authenticates with the webvpn. We currently authenticate users with the vpn client successfully, but without the class attribute and rely on pcf configs for the group assignment.

We would like to have it where a user can login on the webvpn and not have to choose what group they belong too. As it currently stands, our tests show that if you:

webvpn

tunnel-group-list disable

This will cause the user's tunnel group to be assigned as the default 'DefaultWEBVPNGroup' and the policy group default of 'DfltGrpPolicy'

My questions are:

1) How do you change the default tunnel policy to be something other than DefaultWEBVPNGroup?

2) How do you tell the ASA to use the 'Class' attribute from the Radius server for the webvpn authenticated user?

We use freeradius on a linux box.

-.mag

Danilo Dy · ‎04-07-2007

Hi,

I'm able to do it using 5510, MS 2003 AD as LDAP, and MS 2003 IAS as RADIUS.

- Create users and assign to their group in AD

- Create policy per user group. i.e. destination IP Address and ports.

User login by just knowing their username and password. Their usergroup is transparent to them, there is no drop-down list for user to select their group.

The downside of this is that you cannot assign different IP Pool per usergroup. If you want different IP Pool per user group, they wil lsee the drop-down list and they have to select their usergroup from the list. If they select the wrong usergroup, they will not be able to login. If you have too many usergroup, it wil lnot be pretty to see them all in the drop-down list.

netops · ‎04-09-2007

Thanks Medan,

We do not use MS 2003 for LDAP and RADIUS. We have a Linux radius implementation that is set to use system authentication that pulls information from NIS.

-.mag

Danilo Dy · ‎04-07-2007

Hi,

I hope this answers you Q

1.

Default Group Policy is DfltGrpPolicy (System Default)

Default Tunnel Group is DefaultWEBVPNGroup

You cannot remove the above. However you can set things that you want to be default in DfltGrpPolicy. Then you can create multiple Group Policies per usergroup and set inherit for default settings set in DfltGrpPolicy. For example, usergroup1policy.

In tunnel Group, you can create multiple Tunnel Groups per usergroup. For example, usergroup1tunnel;

General > Basic > Group Policy: usergroup1policy

General > AAA > Authentication Server Group: your RADIUS server

General > AAA > Authorization Server Group: your RADIUS server

General > Client Address Assignment > Address Pools: your address pool

General > Advanced > Interface-Specific Authentication Server Groups > Interface: inside

General > Advanced > Interface-Specific Client IP Address Pools > Interface: inside

General > Advanced > Interface-Specific Client IP Address Pools > Address Pool: your address pool

WebVPN > Basic > Authentication: AAA

WebVPN > Basic > DNS Group: DefaultDNS

WebVPN > Basic > Alternative group policy: usergroup1policy

WebVPN > Group Aliases and URLs > Group Aliases: usergroup1 <<< this will show in drop-down list if enabled.

WebVPN > Web Page > Webpage Customization: DfltCustomization

2.

Properties > AAA Setup > AAA Servers

Server Groups

Server Group: server name

Protocol: RADIUS

Accounting Mode: Single

Reactivation Mode: depletion

Dead Time: 10 minutes

Max Failed Attempts: 3

Servers in Selected Group

Interface Name: Inside

Server Name or IP Address: your entries here

Timeout: 10 seconds

Server Authentication Port: your entries here (i.e. 1645)

Server Accounting Port: your entries here (i.e. 1646)

Retry Interval: 10

Server Secrete Key: your entries here should be the same as configured in the RADIUS server

Common Password: NONE

ACL Netmask Convert: Wildcard

There's no special atribute to set it to "Class". However the "Class" setting is done in MS 2003 IAS.

I created routing object for each usergroup. This is the IP Address/network they are allowed to access. The routing object called will be called in the usergroup Group Policy to create permissions in General > Filter to create ACL and ACE

In the Remote Access Policy of MS 2003 IAS;

- Create a policy for each usergroup

- In the Advanced Tab, add "Class" and type "OU=usergroup_name_in_AD;"

netops · ‎04-09-2007

I should clarify that the Class setting is being sent from our radius server.

Since it does this I would like the ASA to determine what VPN group a user should be assigned to when they login via the webvpn.

If disabling the drop-down list does not allow a user to get assigned to their configured group, then how can I get group-lock to work.

The use case would be that the drop-down list shows several groups. A user is assigned to one of them on the radius server. If a user selects a group that they are not assigned to, then authentication will not be allowed.

The goal is to prevent a user from just using any group.

dianewalker · ‎04-09-2007

Check out this link on how to lock users in the group. It is document ID 13831.

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

Diane

netops · ‎04-10-2007

Thanks dianewalker,

I've set this up already. The 'class' gets sent but the ASA doesn't seem to enforce the group-lock via webvpn.

What am I missing?

dianewalker · ‎04-10-2007

I assume that you have the correct syntax: 25="OU=filtergroup;" The filter group name is case sensitive. Whatever the filter group name (case sensitive) that you setup in ASA, setup the name group name (case sensitive) in RADIUS. Also, make sure there is a ";" after the group name. One last thing, you might need to restart the service in RADIUS after adding or changing the group name. I don't know FREERADIUS.

Diane