RA-VPN group-mapping with ASA

Answered Question
Mar 3rd, 2009
User Badges:

Dear All!


I have a RA-VPN configuration with a Cisco VPNC and a Cisco Secure ACS 4.2. I do VPN tunnel-group mapping accordind to the user RADIUS attribute 25 class (ou=...), and it works fine. I migrated this solution from the VPNC to an ASA5520 with 8.0(4) software image, and I can't do this tunnel-group mapping, althought the ACS configuration is the same (of course), and I think that the FW configuration is correct also.

All the tunnel-groups are internal, and the authentication is right everywhere, but the tunnel-mapping doesn't working.


Can anyone write a sample config to me for ASA to verify it?

Is there a special command (f.e. "tunnel-group-map enable ou") I should use?


Thanks for the answeres!


By(e)

Miki

Correct Answer by Ivan Martinon about 8 years 2 months ago

Hi Miki,


I am glad it works, please be sure to rate useful posts

Correct Answer by Ivan Martinon about 8 years 2 months ago

The pools and ip addressing can be either define on the group policy with correct value, or you can use the ACS with either a static ip on the user or with the pool on either group or user, this attribute will be passed on the radius access accept as a framed-ip address value.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Ivan Martinon Tue, 03/03/2009 - 07:47
User Badges:
  • Cisco Employee,

Hi Miki,


"Group mapping" works differently on the ASA as how it did on the CVPN, for instance what is mapped is the Group policy and the ASA and not the Tunnel Group.


So basically what you need to do is to create a group policy per group mapping you have an define the attributes there that you want the user to be affected by.


In other words when the ASA receives the Class value from the Radius server (ACS) instead of putting the user into the Tunnel group that the Class refers to, it looks for an existing Group-Policy with the same name and if existing it has the user affected by this Group-Policy, if there is none then it will be placed into the default one.


HTH

Ivan

miklos.andrasi Tue, 03/03/2009 - 08:51
User Badges:

Hi Ivan,


Thank you for your answer, now it works fine.

My problem with this solution is that I can't use the IP local pools assigned to the tunnel-groups...

I think I should use the ACS local pools, or "assigned IP from the AAA client pool" options, shouldn't I?


By(e)

Miki

Correct Answer
Ivan Martinon Tue, 03/03/2009 - 09:10
User Badges:
  • Cisco Employee,

The pools and ip addressing can be either define on the group policy with correct value, or you can use the ACS with either a static ip on the user or with the pool on either group or user, this attribute will be passed on the radius access accept as a framed-ip address value.

Correct Answer
Ivan Martinon Wed, 03/04/2009 - 06:54
User Badges:
  • Cisco Employee,

Hi Miki,


I am glad it works, please be sure to rate useful posts

Actions

This Discussion