cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
914
Views
10
Helpful
14
Replies

PIX remote access - two groups

tomas.backo
Level 1
Level 1

Hello all,

please is it possible to distinguish two remote access groups on radius server?

For example i have two groups. One for employes and second for externalist.

I authentificate them on one radius server.

It is possible to distinguish between these two groups on radius server?

How can i do this?

Because when i create two tunnel groups and two policy groups, i am still able to access both groups with user from employe or externalist group. And when i look to log on IAS server, i wasnt able to distinguish between log entry when i login as employe and when i login as externalist :(

Thank you in advance

Tomas

1 Accepted Solution

Accepted Solutions

Tomas,

Ok then, we have 2 tunnel-groups and 2 group-policies for tunnel-groups, here is what you have to do.

*First, we should lock the group-policies to tunnel groups so that one policy would not use the other tunnel-group. For achieving this, following is the sample CLI commands

tunnel-group test1 general-attributes

default-group-policy policy1

tunnel-group test2 general-attributes

default-group-policy policy2

group-policy policy1 attributes

group-lock value test1

group-policy policy2 attributes

group-lock value test2

*Now lets do the config on IAS. You should have 2 seperate Remote access policies created for your 2 different windows groups in IAS, for example

Remote access policy x

If Windows Group matches "yourdomain\externalist"

Grant access

Remote access policy y

If Windows Group matches "yourdomain\employees"

Grant access

Now in Remote access policy x, click edit profile>click advanced>click add. Choose "Class" attribute. This RA policy is for externalists, and lets say that we want to lock that windows group to test1 tunnel group. So enter OU=policy1 value in Class attribute. This is the group-policy name that we locked to tunnel-group test1

Follow the same path and enter OU=policy2 for Remote access policy y, the employees windows group.

Regards

View solution in original post

14 Replies 14

husycisco
Level 7
Level 7

Hi Tomas,

Please explain what exactly you want to achieve.

You have two tunnel-groups now, and you dont want the user of tunnel-group externalist to access tunnel-group employee or what?

Regards

Hi Husycisco,

firstly sorry for not very clearly written question, i was in a hurry :(

So what i need to do:

i have to different type of users: employers and externalist.

I am using radius server for authentification of users.

I am using pre-shared keys for both tunnel-groups. (I can't suppose, that user's from one group don't know pre-shared key from second)

Now I can connect as employer to employer's tunnel-group and as externalist to externalist's tunnel-group.

But because I am using the same radius server for both groups (so users for both groups are defined on radius - there are two windows groups exactly), I can also connect as employer to externalist's tunnel and vice-versa as externalist to employer's tunnel.

I understand this behaviour: radius isn't able to distinguish now, if employer is authenticating to employer's or externalist's tunnel. Radius only know, that this user is defined and permited to login to VPN. So access is granted to user.

My question is: is it possible to distinguish on radius which tunnel-group is user trying to log in? ( Maybe send accessed group as attribute from PIX to radius )

And is it possible to setup microsoft IAS policy to distinguish between request from employer's and externalist's group?

Thank you very much for you help.

Hope that now it is much more clear, and sorry my for my english :)

Tomas

I also have this need. I have an ASA and would like to present two different WebVPN customizations to each group. I think we may be looking at aaa authorization here, as opposed to authentication but not sure. Any help would be appreciated.

Oh, totally forgot that question, let me check the attribute and respond....

Tomas, if you are still interested, let me know and I will write a step by step

reachonenetadm,

Are you using Windows IAS?

I am using Windows IAS, yes.

Hello Husycisco,

i am still very interested in :) and i will be very thankfull if you can help me with this.

Thank in advance

Tomas

Tomas,

Ok then, we have 2 tunnel-groups and 2 group-policies for tunnel-groups, here is what you have to do.

*First, we should lock the group-policies to tunnel groups so that one policy would not use the other tunnel-group. For achieving this, following is the sample CLI commands

tunnel-group test1 general-attributes

default-group-policy policy1

tunnel-group test2 general-attributes

default-group-policy policy2

group-policy policy1 attributes

group-lock value test1

group-policy policy2 attributes

group-lock value test2

*Now lets do the config on IAS. You should have 2 seperate Remote access policies created for your 2 different windows groups in IAS, for example

Remote access policy x

If Windows Group matches "yourdomain\externalist"

Grant access

Remote access policy y

If Windows Group matches "yourdomain\employees"

Grant access

Now in Remote access policy x, click edit profile>click advanced>click add. Choose "Class" attribute. This RA policy is for externalists, and lets say that we want to lock that windows group to test1 tunnel group. So enter OU=policy1 value in Class attribute. This is the group-policy name that we locked to tunnel-group test1

Follow the same path and enter OU=policy2 for Remote access policy y, the employees windows group.

Regards

That worked brilliantly for me. Thanks VERY much for posting this.

Cheers

You are welcome reachonenetadm, and thanks for rating. I hope it works for Tomas too.

Regards

is there any way to do it on PIX 6.3(5)

Hi Husycisco,

it is working for me also.

I answer before 2 weeks .. respectively i think that i answer :) ... but in fact i only rate this conversation.

So one more time, thank you very much. You help me a lot with this problem!

Tomas

Tomas,

Nice to hear that it worked for you, and thanks for rating.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: