I was wondering if anyone here has ever configured multiple AnyConnect VPN profiles, all authenticating to a back-end RSA Authentication Manager server without the use of SecureACS?
What I have here are 3 groups of users in different geographic locations - Americas, Europe, and Asia, and basically I need to assign them to the correct subnet based on their VPN group. The VPN profiles are successfully authenticated to the RSA Authentication Manager using RADIUS, however, the users are not being assigned *any* available group policy, and thus not being put in any of the available valid tunnels, and the connection attempt eventually fails.
The users are in the RSA authentication manager database (imported from AD), and for each user there is a custom RADIUS IETF-25 attribute defined in RSA AM with a value that matches each of our anyconnect tunnels.
Those with experience integrating multiple AnyConnect profiles with RSA SecurID, how did you successfully implement group lock in your environment without the use of SecureACS (we don't have one at our disposal)....
Are you connecting to the RSA server over sdi or Radius?
If Radius, you could run the "debug radius all" on the ASA to check whether the attribute 25 comes back from the RSA server.
Figured out the issue, what I had to do was to go into the RSA SecurID operations console and edit RADIUS.INI.
As the ASA is not defined as a recognized product in RSA Authnetication manager, it fell back to the standard radius profile. The problem occurs when RSA tries to send the standard class attribute to the ASA in which it does not recognize, thus failing the authorization process.
vendor-product = - Standard Radius -
dictionary = Radius
ignore-ports = no
help-id = 2000
send-class-attribute = no
I have a similar setup to dexterism which I can't quite get working yet. I'm would like to use the RSA AM user database and built-in RADIUS server to pass back the group-lock attribute back to the RADIUS client (Cisco ASA 5510). I've created my own custom Identity Attribute which contains the list of VPN groups and mapped the RADIUS Class (ID 25) attribute to it.
On the Cisco, I've setup several DAP's to assign the correct ACL filters depending on what the radius.25 class value is. The issue is that when I authenticate with the AnyConnect VPN client, it doesn't look like the RADIUS ID 25 value is being passed from the RADIUS server to the Cisco ASA RADIUS client. It's always falling to the last DAP policy "DfltAccessPolicy". I've also verified from the "debug radius all" that its not showing the RADIUS server's assigned value for that particular user.
Any ideas are greatly appreciated!
Well, if the RADIUS debug output does not list the attribute 25 then the server is not sending it.
Did you follow the configuration steps indicated in the configuration guide of the RSA AM product?
Unfortunately, it sounds like a configuration issue on the server side.
You don't need DAP as the ASA will automatically recognize IETF attribute 25 as the Group policy name. Make sure the values configured for your RADIUS attribute profiles on the RSA AM matches the Group Policy Name exactly on the cisco ASA.
Also you need to go into the user's profile on RSA AM, and under "authentication settings" - select the appropriate RADIUS profile to assign to the user.
Nothing is done on the ASA except to configure the RADIUS servers. 80% of the config is done on the back end while the ASA simply points to the RADIUS server.
Thank you both for the quick and helpful replies. Yes, this is definitely a RSA server config issue. I was unaware of the "authentication settings" for the individual users. I am now able to pass RADIUS attributes back to the Cisco ASA RADIUS client. Haven't quite got it working to my liking yet, but I think I'm well on my way now. Thanks!
Finally got the RADIUS server (RSA AM 8.1) to pass the RADIUS.25 attribute back to the RADIUS client (Cisco ASA 5510). Here's what I did in hope that this will help others who run into this issue. On the RSA AM server;
I created a "NOVPN" group-policy and set that as the default RADIUS profile for the RADIUS client as well as the default group-policy for the single tunnel group profile on the Cisco ASA. Then I set the "vpn-simultaneous-logins" to 0 so that users who are not part of the "group-GP1" group policy will be unable to connect. I got this idea from the Cisco Ask the Expert page - https://supportforums.cisco.com/discussion/11365251/ask-expert-configuring-and-troubleshooting-aaa-asa-use-vpn.
Initially I tried creating a custom "Identity Attribute" and added my various defined group-policies into the "Predefined List Entries". Then I mapped this attribute to the RADIUS standard user attribute (Class, attribute ID #25). I was confident that this would work and would be the easiest method to assign group policies to users, but the RADIUS attribute was never sent to the Cisco ASA and I'm not sure why. I also tried manually setting the "RADIUS User Attributes" through the "User Authentication Settings" on the RSA server, but that didn't work either. The only method that was successful (thanks to dexterism's help) was creating a separate RADIUS profile for each group policy that I created on our Cisco ASA appliance and then associating the policy through the "User RADIUS Profile" in the "User Authentication Settings."