Apply VPN group policy or group lock with AD via IAS/RADIUS?

Unanswered Question
Apr 23rd, 2007
User Badges:

Running ASA 7.2(2) and wondering how it is possible to apply authorization policies to an incoming ipsec remote access connection. There is an existing backend RADIUS service running Microsoft IAS in an Active Directory domain. I have got the blanket user authentication/authorization working from AD but I need to tighten it up restricting users to a specific tunnel-group and/or group-policy

I want to apply the equivalent of the ASA local vpn group-lock (where the user is restricted to a specific tunnel-group) enforced from AD via RADIUS. If this isn't possible I guess an equivalent restriction could be enforced using group-policy? From this documentation it seems possible using RADIUS...

"from an external RADIUS/LDAP server by the value of the RADIUS CLASS attribute (25) in the format OU=GroupName;"

What I don't know is the magic incantation needed in IAS to map something in Active Directory onto RADIUS attribute 25. You might be able to guess I'm not an AD person.

I have seen the ASA LDAP functionality where cVPN3000-IETF-* attribute matching is used but want to fully explore/exhaust the possibilty of using the existing RADIUS service for group-policy and ideally group-lock authorization. (Can group-lock even be enforced by RADIUS?)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Vivek Santuka Mon, 04/23/2007 - 07:12
User Badges:
  • Cisco Employee,


Attribute 25 is available in IAS. Under the Policy if you edit the profile and go to Advanced Tab, you can add attributes which are to be pushed.



GRAEME DANIELSON Tue, 04/24/2007 - 02:14
User Badges:

Vivek, thanks for your reply. As mentioned I'm trying to integrate ASA remote access VPN in with Microsoft Active Directory via IAS. How can I configure RADIUS Attribute 25 on IAS to recv a value from AD and fwd it on to the ASA?

What I'd really like confirmed first is whether group-lock functionality is available from AD through RADIUS?

thanks, Graeme

guibarati Thu, 09/13/2007 - 11:54
User Badges:
  • Bronze, 100 points or more

You have to put the name of ASA VPN policy for it to work on IAS attribute 25


This Discussion