PIX remote access - two groups

Answered Question
Mar 31st, 2008
User Badges:

Hello all,


please is it possible to distinguish two remote access groups on radius server?


For example i have two groups. One for employes and second for externalist.

I authentificate them on one radius server.

It is possible to distinguish between these two groups on radius server?

How can i do this?


Because when i create two tunnel groups and two policy groups, i am still able to access both groups with user from employe or externalist group. And when i look to log on IAS server, i wasnt able to distinguish between log entry when i login as employe and when i login as externalist :(


Thank you in advance

Tomas


Correct Answer by husycisco about 9 years 1 month ago

Tomas,

Ok then, we have 2 tunnel-groups and 2 group-policies for tunnel-groups, here is what you have to do.

*First, we should lock the group-policies to tunnel groups so that one policy would not use the other tunnel-group. For achieving this, following is the sample CLI commands


tunnel-group test1 general-attributes

default-group-policy policy1


tunnel-group test2 general-attributes

default-group-policy policy2


group-policy policy1 attributes

group-lock value test1


group-policy policy2 attributes

group-lock value test2

*Now lets do the config on IAS. You should have 2 seperate Remote access policies created for your 2 different windows groups in IAS, for example


Remote access policy x

If Windows Group matches "yourdomain\externalist"

Grant access


Remote access policy y

If Windows Group matches "yourdomain\employees"

Grant access


Now in Remote access policy x, click edit profile>click advanced>click add. Choose "Class" attribute. This RA policy is for externalists, and lets say that we want to lock that windows group to test1 tunnel group. So enter OU=policy1 value in Class attribute. This is the group-policy name that we locked to tunnel-group test1

Follow the same path and enter OU=policy2 for Remote access policy y, the employees windows group.


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
husycisco Mon, 03/31/2008 - 07:58
User Badges:
  • Gold, 750 points or more

Hi Tomas,

Please explain what exactly you want to achieve.

You have two tunnel-groups now, and you dont want the user of tunnel-group externalist to access tunnel-group employee or what?


Regards

tomas.backo Mon, 03/31/2008 - 13:06
User Badges:

Hi Husycisco,


firstly sorry for not very clearly written question, i was in a hurry :(


So what i need to do:

i have to different type of users: employers and externalist.

I am using radius server for authentification of users.

I am using pre-shared keys for both tunnel-groups. (I can't suppose, that user's from one group don't know pre-shared key from second)


Now I can connect as employer to employer's tunnel-group and as externalist to externalist's tunnel-group.


But because I am using the same radius server for both groups (so users for both groups are defined on radius - there are two windows groups exactly), I can also connect as employer to externalist's tunnel and vice-versa as externalist to employer's tunnel.


I understand this behaviour: radius isn't able to distinguish now, if employer is authenticating to employer's or externalist's tunnel. Radius only know, that this user is defined and permited to login to VPN. So access is granted to user.


My question is: is it possible to distinguish on radius which tunnel-group is user trying to log in? ( Maybe send accessed group as attribute from PIX to radius )


And is it possible to setup microsoft IAS policy to distinguish between request from employer's and externalist's group?


Thank you very much for you help.

Hope that now it is much more clear, and sorry my for my english :)

Tomas


reachonenetadm Tue, 04/08/2008 - 14:34
User Badges:

I also have this need. I have an ASA and would like to present two different WebVPN customizations to each group. I think we may be looking at aaa authorization here, as opposed to authentication but not sure. Any help would be appreciated.

husycisco Tue, 04/08/2008 - 15:53
User Badges:
  • Gold, 750 points or more

Oh, totally forgot that question, let me check the attribute and respond....

husycisco Tue, 04/08/2008 - 18:28
User Badges:
  • Gold, 750 points or more

Tomas, if you are still interested, let me know and I will write a step by step

husycisco Tue, 04/08/2008 - 19:16
User Badges:
  • Gold, 750 points or more

reachonenetadm,

Are you using Windows IAS?

tomas.backo Tue, 04/08/2008 - 22:57
User Badges:

Hello Husycisco,


i am still very interested in :) and i will be very thankfull if you can help me with this.


Thank in advance

Tomas

Correct Answer
husycisco Wed, 04/09/2008 - 04:19
User Badges:
  • Gold, 750 points or more

Tomas,

Ok then, we have 2 tunnel-groups and 2 group-policies for tunnel-groups, here is what you have to do.

*First, we should lock the group-policies to tunnel groups so that one policy would not use the other tunnel-group. For achieving this, following is the sample CLI commands


tunnel-group test1 general-attributes

default-group-policy policy1


tunnel-group test2 general-attributes

default-group-policy policy2


group-policy policy1 attributes

group-lock value test1


group-policy policy2 attributes

group-lock value test2

*Now lets do the config on IAS. You should have 2 seperate Remote access policies created for your 2 different windows groups in IAS, for example


Remote access policy x

If Windows Group matches "yourdomain\externalist"

Grant access


Remote access policy y

If Windows Group matches "yourdomain\employees"

Grant access


Now in Remote access policy x, click edit profile>click advanced>click add. Choose "Class" attribute. This RA policy is for externalists, and lets say that we want to lock that windows group to test1 tunnel group. So enter OU=policy1 value in Class attribute. This is the group-policy name that we locked to tunnel-group test1

Follow the same path and enter OU=policy2 for Remote access policy y, the employees windows group.


Regards

reachonenetadm Wed, 04/09/2008 - 08:44
User Badges:

That worked brilliantly for me. Thanks VERY much for posting this.

Cheers

husycisco Wed, 04/09/2008 - 09:23
User Badges:
  • Gold, 750 points or more

You are welcome reachonenetadm, and thanks for rating. I hope it works for Tomas too.


Regards

tomas.backo Mon, 04/21/2008 - 05:08
User Badges:

Hi Husycisco,


it is working for me also.

I answer before 2 weeks .. respectively i think that i answer :) ... but in fact i only rate this conversation.


So one more time, thank you very much. You help me a lot with this problem!


Tomas

husycisco Mon, 04/21/2008 - 06:36
User Badges:
  • Gold, 750 points or more

Tomas,

Nice to hear that it worked for you, and thanks for rating.


Regards

Actions

This Discussion