01-15-2007 04:29 AM - edited 03-10-2019 02:55 PM
Hi All,
what I want to do is to bind a specific vpn user with a specific vpn group using a Radius server for AAA and ASA as end point of the vpn.
Which is the correct AV pair to use in the communication?
Is there a list of all AV pairs usable with ASA and Radius?
All information are welcome (example, link manual and command, tips & tricks).
Thanks in advance,
Matteo
Additional info
Radius is a FreeRadius v 1.1.2
ASA is a ASA5520 v 7.2(1)
01-15-2007 04:47 AM
For group binding we need to use the Class attribute, It is IETF attribute number 25.
The format is ou=
Regards,
Vivek
01-15-2007 05:11 AM
Thanks Vivek.
I was just using that AV pair and what I had as result is:
Raiusd output ->
Sending Access-Accept of id 234 to 192.168.0.253 port 1025
Framed-IP-Address = 172.26.101.1
Framed-IP-Netmask = 255.255.255.255
Service-Type = Framed-User
Class = 0x76706e67727070726f7661
Class is set in the postgres db on a freebsd machine where FreeRadius is running, the real value of Class is OU=vpngrpprova and the vpnclient is presenting its self as vpngrpprova2.
When authenticated and processed what I have is that the client is binded to vpngrpprova2 and not to vpngrpprova.
Where is the mistake?
Many thanks
Matteo
01-15-2007 07:56 AM
Hi,
I think the missing ; is the culprit. The Class attribute is to be defined as :-
OU=vpngrpprova;
Let me know how this goes.
01-15-2007 08:16 AM
Hi,
this is the content of the postreges db for Radius:
INSERT INTO radcheck VALUES (3, 'roberto', 'User-Password', '==', 'pass');
INSERT INTO radreply VALUES (19, 'roberto', 'Service-Type', '=', 'Framed-User');
INSERT INTO radreply VALUES (17, 'roberto', 'Framed-IP-Address', '=', '172.26.101.200');
INSERT INTO radreply VALUES (18, 'roberto', 'Framed-IP-Netmask', '=', '255.255.255.0');
INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'ou=vpngrpprova');
01-15-2007 10:06 AM
Hi,
Need to change :-
INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'ou=vpngrpprova');
into
INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'ou=vpngrpprova;');
01-16-2007 12:45 AM
Hi,
change made but it still doesnt work
INSERT INTO radcheck VALUES (3, 'roberto', 'User-Password', '==', 'pass');
INSERT INTO radreply VALUES (19, 'roberto', 'Service-Type', '=', 'Framed-User');
INSERT INTO radreply VALUES (17, 'roberto', 'Framed-IP-Address', '=', '172.26.101.200');
INSERT INTO radreply VALUES (18, 'roberto', 'Framed-IP-Netmask', '=', '255.255.255.0');
INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'ou=vpngrpprova;');
What else?
Ask me all info you need.
Thanks a lot
Matteo
01-16-2007 04:24 AM
Maybe because the radius server is sending the class value in hex "Class = 0x76706e67727070726f7661"
Also the class value is case sensetive.
01-16-2007 04:44 AM
Hi vsantuka,
thanks for your reply.
I have just done some other check using this software NTRadPing of Dialways .
This is a part of the FreeRadius output:
Sending Access-Accept of id 2 to 172.16.5.10 port 2163
Framed-IP-Address = 172.26.101.200
Framed-IP-Netmask = 255.255.255.0
Service-Type = Framed-User
Class = 0x6f753d76706e67727070726f76613b
This is what the client receives:
reply packet code=2 id=2 length=55
response: Access-Accept
Framed-IP-Address = 172.26.101.200
Framed-IP-Netmask = 255.255.255.0
Service-Type = Framed-User
Class=ou=vpngrpprova;
Maybe something is wrong in the ASA config?
Thanks
Matteo
01-16-2007 08:24 AM
My bad. Forgot the most important thing.
We need to "Make sure OU is in capital letters and that there is a semicolon after the group name."
We have the semicolon but our "OU" is in lowercase.
01-16-2007 08:52 AM
Dont worry...but with OU in uppercase we are still experiencing the problem.
This is the content of the db now:
INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'OU=vpngrpprova;');
INSERT INTO radreply VALUES (19, 'roberto', 'Service-Type', '=', 'Framed-User');
INSERT INTO radreply VALUES (17, 'roberto', 'Framed-IP-Address', '=', '172.26.101.200');
INSERT INTO radreply VALUES (18, 'roberto', 'Framed-IP-Netmask', '=', '255.255.255.0');
The tunnelgroup name specified in the pcf is vpngrpprova2.
And we are logged using vpngrpprova2 credential group.
Do you need other informations?
Thanks a lot
Matteo
01-16-2007 10:08 AM
Duh ! Asa works differently - Not as concentrator etc.
With Asa the Class attribute will just provide the group policy name and not the group name.
The group policy on the Asa will then have the group to which the users needs to be bound.
Let's say you want to lock user rj123 into group RemoteGroup. Then on the
radius server define IETF attribute 25 Class "OU=RemotePolicy;" for this user. Here is the
config on the ASA:
group-policy RemotePolicy internal
group-policy RemotePolicy attributes
dns-server value 10.1.1.1 10.2.2.2
group-lock value RemoteGroup
Basically the OU set the group policy for this user and in the group policy
you lock the user into the tunnel-group that you want.
01-18-2007 08:12 AM
Ok,
this works, but it's an half solution.
Because we would like to give away only one pcf that contains a valid group.
Then using only Radius authenticate the valid user using username and password.
What happens now is:
I have a pcf containing vpngrpprova2 and the user roberto password pass.
Using this and having as Radius reply Class=OU=gpvprova that group-lock to vpngrpprova the user is rejected because of the difference in tunnel-group (vpngroup in pcf != vpngroup in group-policy returned by Radius).
Instead we want the user authenticated because username and password are right and tunnel parameters are those of vpngrpprova tunnel-group.
I hope that my explanation is clear.
Matteo
ps: is it possible doing this request or something similar to for webvpn?
Many many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide