Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA- SSL / Clientless SSL VPN with NPS

On ASA we utilize the group-lock to make sure that a user is logging into the correct tunnel group and match that against the OU attribute the user exists in on the radius server.  The issue we have is that some of our users need to belong to multiple groups. Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.

Is there a way to get the ASA to end the group-lock value in the OU of the radius request so the server can validate if the user is a member of that group. 

5 REPLIES

ASA- SSL / Clientless SSL VPN with NPS

Hi Bro

If you were to remove the "group-lock" command on a username that needs to belong to multiple tunnel-groups, does this work for you? By the way, just to understand better, why does a user need to belong in multiple tunnel-groups? Please do highlight and enlight?

The reason I asked is because the function of the "group-lock: command is to tie the username down to a fixed set of parameters that's define in the group-policy.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Community Member

ASA- SSL / Clientless SSL VPN with NPS

Some of our users need to belong to multiple groups, like a Manager for an account that needs to access his agents VPN group for testing and the corporate group in general for enhanced access.  Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.

Is there a way to get the ASA to send the group-lock value in the OU of the radius request, so the server can validate if the user is a member of that group instead?

ASA- SSL / Clientless SSL VPN with NPS

Hi Bro

Is your RADIUS server Cisco ACS 5.X?

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Community Member

ASA- SSL / Clientless SSL VPN with NPS

No, it is Microsoft 2008 Radius server

ASA- SSL / Clientless SSL VPN with NPS

Hi Bro

As you know, the group-lock feature is simply to map the incoming VPN usernames to a specific tunnel-group, that's all. In that tunnel-group, you would then have the command “authentication-server-group XXXX” pointing the authentication to your Microsoft 2008 Radius server. That’s it. The job of your Cisco ASA is now down.

Hence, in your Microsoft 2008 Radius server, which is part of the same domain as your Windows AD, you will need to bind the VPN username/group to multiple OUs. You can even assign these VPN usernames with static DHCP POOL IP. This can be achieved if the Radius server was Cisco ACS v4.2 using the IETF RADIUS Attributes. I believe this is something you’d need to work with your Microsoft 2008 Radius server vendor.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
907
Views
0
Helpful
5
Replies
CreatePlease to create content