Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RA-VPN group-mapping with ASA

Dear All!

I have a RA-VPN configuration with a Cisco VPNC and a Cisco Secure ACS 4.2. I do VPN tunnel-group mapping accordind to the user RADIUS attribute 25 class (ou=...), and it works fine. I migrated this solution from the VPNC to an ASA5520 with 8.0(4) software image, and I can't do this tunnel-group mapping, althought the ACS configuration is the same (of course), and I think that the FW configuration is correct also.

All the tunnel-groups are internal, and the authentication is right everywhere, but the tunnel-mapping doesn't working.

Can anyone write a sample config to me for ASA to verify it?

Is there a special command (f.e. "tunnel-group-map enable ou") I should use?

Thanks for the answeres!

By(e)

Miki

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: RA-VPN group-mapping with ASA

The pools and ip addressing can be either define on the group policy with correct value, or you can use the ACS with either a static ip on the user or with the pool on either group or user, this attribute will be passed on the radius access accept as a framed-ip address value.

Cisco Employee

Re: RA-VPN group-mapping with ASA

Hi Miki,

I am glad it works, please be sure to rate useful posts

5 REPLIES
Cisco Employee

Re: RA-VPN group-mapping with ASA

Hi Miki,

"Group mapping" works differently on the ASA as how it did on the CVPN, for instance what is mapped is the Group policy and the ASA and not the Tunnel Group.

So basically what you need to do is to create a group policy per group mapping you have an define the attributes there that you want the user to be affected by.

In other words when the ASA receives the Class value from the Radius server (ACS) instead of putting the user into the Tunnel group that the Class refers to, it looks for an existing Group-Policy with the same name and if existing it has the user affected by this Group-Policy, if there is none then it will be placed into the default one.

HTH

Ivan

New Member

Re: RA-VPN group-mapping with ASA

Hi Ivan,

Thank you for your answer, now it works fine.

My problem with this solution is that I can't use the IP local pools assigned to the tunnel-groups...

I think I should use the ACS local pools, or "assigned IP from the AAA client pool" options, shouldn't I?

By(e)

Miki

Cisco Employee

Re: RA-VPN group-mapping with ASA

The pools and ip addressing can be either define on the group policy with correct value, or you can use the ACS with either a static ip on the user or with the pool on either group or user, this attribute will be passed on the radius access accept as a framed-ip address value.

New Member

Re: RA-VPN group-mapping with ASA

Hi!

Thank you very much, it works really.

Regards,

Miki

Cisco Employee

Re: RA-VPN group-mapping with ASA

Hi Miki,

I am glad it works, please be sure to rate useful posts

276
Views
0
Helpful
5
Replies