Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
896
Views
0
Helpful
3
Replies

Apply VPN group policy or group lock with AD via IAS/RADIUS?

GRAEME DANIELSON
Level 1
Level 1

‎04-23-2007 03:19 AM - edited ‎03-10-2019 03:06 PM

Running ASA 7.2(2) and wondering how it is possible to apply authorization policies to an incoming ipsec remote access connection. There is an existing backend RADIUS service running Microsoft IAS in an Active Directory domain. I have got the blanket user authentication/authorization working from AD but I need to tighten it up restricting users to a specific tunnel-group and/or group-policy

I want to apply the equivalent of the ASA local vpn group-lock (where the user is restricted to a specific tunnel-group) enforced from AD via RADIUS. If this isn't possible I guess an equivalent restriction could be enforced using group-policy? From this documentation it seems possible using RADIUS...

"from an external RADIUS/LDAP server by the value of the RADIUS CLASS attribute (25) in the format OU=GroupName;"

What I don't know is the magic incantation needed in IAS to map something in Active Directory onto RADIUS attribute 25. You might be able to guess I'm not an AD person.

I have seen the ASA LDAP functionality where cVPN3000-IETF-* attribute matching is used but want to fully explore/exhaust the possibilty of using the existing RADIUS service for group-policy and ideally group-lock authorization. (Can group-lock even be enforced by RADIUS?)

TIA

Labels:
0 Helpful
3 Replies 3

Vivek Santuka
Cisco Employee
Cisco Employee

‎04-23-2007 07:12 AM

Hi,

Attribute 25 is available in IAS. Under the Policy if you edit the profile and go to Advanced Tab, you can add attributes which are to be pushed.

Regards,

Vivek

0 Helpful

GRAEME DANIELSON
Level 1
Level 1
In response to Vivek Santuka

‎04-24-2007 02:14 AM

Vivek, thanks for your reply. As mentioned I'm trying to integrate ASA remote access VPN in with Microsoft Active Directory via IAS. How can I configure RADIUS Attribute 25 on IAS to recv a value from AD and fwd it on to the ASA?

What I'd really like confirmed first is whether group-lock functionality is available from AD through RADIUS?

thanks, Graeme

0 Helpful

guibarati
Level 4
Level 4
In response to GRAEME DANIELSON

‎09-13-2007 11:54 AM

You have to put the name of ASA VPN policy for it to work on IAS attribute 25

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents