ASA Vpn Group-Lock with ACS

Unanswered Question
Jun 7th, 2010
User Badges:

Hello all, we have a VPN Concentrator 3020 with remote access vpn configured to authenticate via ACS tacacs server. We have a single pcf profile and we assign user groups with Class 25 attribute.


We are now testing VPN migration from Concentrator to ASA.


It seems that all works, also authentication, but users cannot be assigned to right group via Class 25 parameter (OU=group_name), and they remain all into DefaultWEBVPNGroup.


Where I'm wrong?


Configuration into ACS is the same as VPN Concentrator Authenticator.


Configuration into ASA is as follow:


webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool ip_pool_address
authentication-server-group ACSNT
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWEBVPNGroup enable

group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.1.1
vpn-filter value vpnclients_filter
vpn-tunnel-protocol IPSec svc
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclients_splitTunnelAcl

group-policy vpnclients internal
group-policy vpnclients attributes
dns-server value 192.168.1.1
vpn-filter value vpnclients_filter
vpn-tunnel-protocol IPSec svc
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclients_splitTunnelAcl


Thanks for any help.


Daniele

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Mon, 06/07/2010 - 14:29
User Badges:
  • Silver, 250 points or more

Group lock works a little differently on the ASA platform.  IIf you configure the ACS with Radius Class Attribute #25 to send OU=xxxxx, the ASA interprets this as the group-policy that should be associated to the connecting user.  Within this group policy, you can configure a tunnel group lock using the "group-lock" command.  Alternatively, you can enable Cisco ASA Vendor Specific Attribute (VSA) #85 - Tunnel-Group-Lock =  in ACS to identify what tunnel group the connecting user should be permitted to access.  Based on the config snippet you provided, I would expect all users to terminate on the DefaultWEBVPNGroup tunnel group, however, users may be associated with different group policies.

marcohernandez Thu, 03/03/2011 - 17:25
User Badges:

Hi Todd,


I know this is a very old post however I wish you are able to help me. I've been trying to configure group locking with an ACS 5.2. I could find the attributes 33 and 85 in the RADIUS dictionary however when I try to select this attributes in an access policy they are not shown there.

In the old ACS 4.x you can enable or disable the attributes to show in the User or Group Settings in Interface Configuration, but here in ACS 5.2 I can not find a similar option. There is not an enable button or check box in anywhere. Could you please help me on this?


Best Regards!


Marco

Actions

This Discussion