06-07-2010 02:02 AM
Hello all, we have a VPN Concentrator 3020 with remote access vpn configured to authenticate via ACS tacacs server. We have a single pcf profile and we assign user groups with Class 25 attribute.
We are now testing VPN migration from Concentrator to ASA.
It seems that all works, also authentication, but users cannot be assigned to right group via Class 25 parameter (OU=group_name), and they remain all into DefaultWEBVPNGroup.
Where I'm wrong?
Configuration into ACS is the same as VPN Concentrator Authenticator.
Configuration into ASA is as follow:
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool ip_pool_address
authentication-server-group ACSNT
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWEBVPNGroup enable
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.1.1
vpn-filter value vpnclients_filter
vpn-tunnel-protocol IPSec svc
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclients_splitTunnelAcl
group-policy vpnclients internal
group-policy vpnclients attributes
dns-server value 192.168.1.1
vpn-filter value vpnclients_filter
vpn-tunnel-protocol IPSec svc
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclients_splitTunnelAcl
Thanks for any help.
Daniele
06-07-2010 02:29 PM
Group lock works a little differently on the ASA platform. IIf you configure the ACS with Radius Class Attribute #25 to send OU=xxxxx, the ASA interprets this as the group-policy that should be associated to the connecting user. Within this group policy, you can configure a tunnel group lock using the "group-lock" command. Alternatively, you can enable Cisco ASA Vendor Specific Attribute (VSA) #85 - Tunnel-Group-Lock =
03-03-2011 05:25 PM
Hi Todd,
I know this is a very old post however I wish you are able to help me. I've been trying to configure group locking with an ACS 5.2. I could find the attributes 33 and 85 in the RADIUS dictionary however when I try to select this attributes in an access policy they are not shown there.
In the old ACS 4.x you can enable or disable the attributes to show in the User or Group Settings in Interface Configuration, but here in ACS 5.2 I can not find a similar option. There is not an enable button or check box in anywhere. Could you please help me on this?
Best Regards!
Marco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide