Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
0
Helpful
5
Replies

RA-VPN group-mapping with ASA

Go to solution
miklos.andrasi
Level 1
Level 1

‎03-03-2009 04:33 AM - edited ‎03-10-2019 04:21 PM

Dear All!

I have a RA-VPN configuration with a Cisco VPNC and a Cisco Secure ACS 4.2. I do VPN tunnel-group mapping accordind to the user RADIUS attribute 25 class (ou=...), and it works fine. I migrated this solution from the VPNC to an ASA5520 with 8.0(4) software image, and I can't do this tunnel-group mapping, althought the ACS configuration is the same (of course), and I think that the FW configuration is correct also.

All the tunnel-groups are internal, and the authentication is right everywhere, but the tunnel-mapping doesn't working.

Can anyone write a sample config to me for ASA to verify it?

Is there a special command (f.e. "tunnel-group-map enable ou") I should use?

Thanks for the answeres!

By(e)

Miki

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7
In response to miklos.andrasi

‎03-03-2009 09:10 AM

The pools and ip addressing can be either define on the group policy with correct value, or you can use the ACS with either a static ip on the user or with the pool on either group or user, this attribute will be passed on the radius access accept as a framed-ip address value.

View solution in original post

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to miklos.andrasi

‎03-04-2009 06:54 AM

Hi Miki,

I am glad it works, please be sure to rate useful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ivan Martinon
Level 7
Level 7

‎03-03-2009 07:47 AM

Hi Miki,

"Group mapping" works differently on the ASA as how it did on the CVPN, for instance what is mapped is the Group policy and the ASA and not the Tunnel Group.

So basically what you need to do is to create a group policy per group mapping you have an define the attributes there that you want the user to be affected by.

In other words when the ASA receives the Class value from the Radius server (ACS) instead of putting the user into the Tunnel group that the Class refers to, it looks for an existing Group-Policy with the same name and if existing it has the user affected by this Group-Policy, if there is none then it will be placed into the default one.

HTH

Ivan

0 Helpful

Go to solution
miklos.andrasi
Level 1
Level 1
In response to Ivan Martinon

‎03-03-2009 08:51 AM

Hi Ivan,

Thank you for your answer, now it works fine.

My problem with this solution is that I can't use the IP local pools assigned to the tunnel-groups...

I think I should use the ACS local pools, or "assigned IP from the AAA client pool" options, shouldn't I?

By(e)

Miki

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to miklos.andrasi

‎03-03-2009 09:10 AM

The pools and ip addressing can be either define on the group policy with correct value, or you can use the ACS with either a static ip on the user or with the pool on either group or user, this attribute will be passed on the radius access accept as a framed-ip address value.

0 Helpful

Go to solution
miklos.andrasi
Level 1
Level 1
In response to Ivan Martinon

‎03-04-2009 02:01 AM

Hi!

Thank you very much, it works really.

Regards,

Miki

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to miklos.andrasi

‎03-04-2009 06:54 AM

Hi Miki,

I am glad it works, please be sure to rate useful posts

0 Helpful
Customers Also Viewed These Support Documents