Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA - logging via radius with group name passed.

Hi,

I'm trying to setup ASA5520 with Radius to authenticate users with group

privileges.

Useing Radius with ASA to authenticate users is quite simple. When I try

to pass from asa tunnel-group name (with group-policy and attributes

attached) there is a problem that ASA dosn't pass any group name to

radius.

Is there any way to overcome it?

What I want to do is to apply different policies to username depending

with what tunnel-group name he logs in to webvpn. I assume one user may

be member of different groups.

br

Marcin

6 REPLIES
Bronze

Re: ASA - logging via radius with group name passed.

The issue is the tunnel group name must be the IP address of the remote peer.

For example

tunnel-group 172.20.77.10 type ipsec-l2l

tunnel-group 172.20.77.10 ipsec-attributes

New Member

Re: ASA - logging via radius with group name passed.

I'm trying to pass this in webvpn, not ipsec tunnel. Do You know if this is possible?

New Member

Re: ASA - logging via radius with group name passed.

It's possible.

Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.

Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.

Long winded, I know...any questions, please ask.

New Member

Re: ASA - logging via radius with group name passed.

I ran into a problem with ASA 7.0(6) because with that version you cannot specify an IP address pool in the group policy (only in the tunnel group). So, if the default tunnel-group does not have an IP pool assign to it, the client cannot get an IP address. With Version 7.2(2), you can assign an IP pool in both the Group Policy and the Tunnel-Group so you can assign a specific IP pool based on the attribute 25 received from the radius server.

New Member

Re: ASA - logging via radius with group name passed.

astroman,

You advice is really helpful! but I have a doubt on "Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group"

We shall define a group policy for a tunnel group. If we do not specify the default group policy for the default WebVPN tunnel group, is it harmless to specify one of the user-defined group policies? Or will it better to create a dummy group policies for this?

New Member

Re: ASA - logging via radius with group name passed.

I apologize if I was unclear...

Yes, you'll have to keep the default webvpn group policy when the default webvpn tunnel-group is built.

I have some other recommendations as far as keeping the default webvpn group locked down tightly via ACS, that I'll post about in a little while.

Any other questions, please let us know...

275
Views
4
Helpful
6
Replies
CreatePlease login to create content