Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2706
Views
0
Helpful
2
Replies

ASA Vpn Group-Lock with ACS

dimensyssrl
Level 1
Level 1

‎06-07-2010 02:02 AM

Hello all, we have a VPN Concentrator 3020 with remote access vpn configured to authenticate via ACS tacacs server. We have a single pcf profile and we assign user groups with Class 25 attribute.

We are now testing VPN migration from Concentrator to ASA.

It seems that all works, also authentication, but users cannot be assigned to right group via Class 25 parameter (OU=group_name), and they remain all into DefaultWEBVPNGroup.

Where I'm wrong?

Configuration into ACS is the same as VPN Concentrator Authenticator.

Configuration into ASA is as follow:

webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool ip_pool_address
authentication-server-group ACSNT
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWEBVPNGroup enable

group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.1.1
vpn-filter value vpnclients_filter
vpn-tunnel-protocol IPSec svc
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclients_splitTunnelAcl

group-policy vpnclients internal
group-policy vpnclients attributes
dns-server value 192.168.1.1
vpn-filter value vpnclients_filter
vpn-tunnel-protocol IPSec svc
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclients_splitTunnelAcl

Thanks for any help.

Daniele

Labels:
0 Helpful
2 Replies 2

Todd Pula
Level 7
Level 7

‎06-07-2010 02:29 PM

Group lock works a little differently on the ASA platform.  IIf you configure the ACS with Radius Class Attribute #25 to send OU=xxxxx, the ASA interprets this as the group-policy that should be associated to the connecting user.  Within this group policy, you can configure a tunnel group lock using the "group-lock" command.  Alternatively, you can enable Cisco ASA Vendor Specific Attribute (VSA) #85 - Tunnel-Group-Lock =  in ACS to identify what tunnel group the connecting user should be permitted to access.  Based on the config snippet you provided, I would expect all users to terminate on the DefaultWEBVPNGroup tunnel group, however, users may be associated with different group policies.

0 Helpful

marcohernandez
Level 1
Level 1
In response to Todd Pula

‎03-03-2011 05:25 PM

Hi Todd,

I know this is a very old post however I wish you are able to help me. I've been trying to configure group locking with an ACS 5.2. I could find the attributes 33 and 85 in the RADIUS dictionary however when I try to select this attributes in an access policy they are not shown there.

In the old ACS 4.x you can enable or disable the attributes to show in the User or Group Settings in Interface Configuration, but here in ACS 5.2 I can not find a similar option. There is not an enable button or check box in anywhere. Could you please help me on this?

Best Regards!

Marco

0 Helpful
Customers Also Viewed These Support Documents