Restrict Active Directory group to a VPN tunnel group thru RADIUS

Unanswered Question
Dec 10th, 2007
User Badges:


I have seen a few similar conversations similar to this one; but none are answering my question:

I am using IAS as my RADIUS server in an Active Directory environment. I want to restrict a user to a particular Tunnel Group. I know that I must configure a class 25 attribute in the RADIUS server OU=GROUPNAME. In my case I have a sub-set of users who should be restricted to this tunnel and not our general use tunnel. How do I associate the AD users to the class attribute (and tunnel that I want to restrict the user to)? Do I create an AD GROUP? If so, how do I associate that AD group to the VPN tunnel-group that I want these users to be restricted to?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jason Gervia Mon, 12/10/2007 - 17:52
User Badges:
  • Cisco Employee,


The radius class attribute (25) maps users to group policies, not tunnel-groups/connection profiles.

So you could have everyone come in on the same tunnel-group/connection profile, but then depending on the group in your radius server, end up with different group policies depending on what class attribute you send.

I'm not sure of the AD/IAS configuration off the top of my head, but here's a link on configuring the IAS to work with the ASA:

7.x - but in 8.x the same principles apply.

mellowgb59 Thu, 12/13/2007 - 17:40
User Badges:

I want users from a certain AD group to be assigned a certain VPN policy. The question that I am asking:

How do you tie the AD group that the users are in to the group policy that you want applied?

ggittins Fri, 12/14/2007 - 11:45
User Badges:

have you gotten an answer to this question?

i have the same requierments...

aliaslab Sat, 12/15/2007 - 08:50
User Badges:


first you need to create in AD a Security Group (a Global Security Group would be ok), naming it the way you like (let's say i.e. 'Sales'), and make the AD users of your 'sub-set' members of this Group.

After that you need to create in IAS a Remote Access Policy whose policy conditions contain 'Windows-Groups'='Sales' (selecting the new Group by simply browsing your AD).

Then set for THAT IAS POLICY the CLASS 25 attribute equal to the VPN Server Group Policy (equal to Tunnel Group if you have a VPN3000) you want those users to be locked in.

Basically, this way IAS will return to the VPN server the proper class attribute by telling which AD Security Group a (authenticated) user belongs to.


This Discussion