02-15-2007 02:39 AM - edited 03-11-2019 02:33 AM
We are trying to configure a microsoft IAS server to return the vpn group to WebVPN users connecting via an ASA5510.
We have configured Radius to return the custom Attribute however it doesn't seem as though the ASA firewall is accepting the attribute.
The users just get put into the default group.
Anyone know exactly how i need to configure the IAS server or Firewall.
Thanks
02-15-2007 02:27 PM
The debugs show the following ;
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 133).....
01 26 00 85 76 77 e4 4d 02 13 50 49 4e 6f 7c 05 | .&..vw.M..PINo|.
5a 8b 68 81 01 09 53 53 4c 44 65 6d 6f 02 22 90 | Z.h...(Removed).".
3a 83 a4 b6 7c (Removed)54 f9 fe 54 b5 | :...|.a..x.T..T.
50 83 5c 7e bc 73 47 7e ac ad 5c d3 1d a7 fa 1f | P.\~.sG~..\.....
10 32 30 33 2e 31 30 30 2e 32 32 38 2e 32 31 3d | .(Removed)=
06 00 (Removed)05 06 00 00 00 | .........b......
26 1a 24 00 00 (Removed) 3a 73 6f 75 72 | &.$......ip:sour
63 65 2d 69 70 3d 32 30 (Removed) 30 2e 32 32 | ce-ip=(Removed)b
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 38 (0x26)
Radius: Length = 133 (0x0085)
Radius: Vector: 7677E44D021350494E6F7C055A8B6881
Radius: Type = 1 (0x01) User-Name
Radius: Length = 9 (0x09)
Radius: Value (String) =
53 53(Removed)6f (Removed)
Radius: Type = 2 (0x02) User-Password
Radius: Length = 34 (0x22)
Radius: Value (String) =
90 3a 83 a4 (Removed)
b5 50 83 5c 7e(Removed)
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 16 (0x10)
Radius: Value (String) =
| (Removed)
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = (Removed)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x26
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 36 (0x24)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 30 (0x1E)
Radius: Value (String) =
69 70 3a (Removed)33 | ip:source-ip=(Removed)
RADIUS packet decode (response)
--------------------------------------
Raw packet data (length = 92).....
02 26 00 5c b0 9c 1d 6d 0d f7 a6 3c 98 7d 7c 71 | .&.\...m...<.}|q
8a 18 37 75 19 20 4d 1f 05 7d 00 00 01 37 00 01 | ..7u. M..}...7..
ac 16 d8 48 01 c7 4f 2a 17 9a 60 c4 00 00 00 00 | ...H..O*..`.....
00 00 0f 3c 1a 28 00 00 00 09 01 22 77 65 62 76 | ...<.(....."webv
70 6e 3a 75 73 65 72 2d 76 70 6e 2d 67 72 6f 75 | pn:user-vpn-grou
70 3d 44 65 6d 6f 2d 47 72 6f 75 70 | p=Demo-Group
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 38 (0x26)
Radius: Length = 92 (0x005C)
Radius: Vector: B09C1D6D0DF7A63C987D7C718A183775
Radius: Type = 25 (0x19) Class
Radius: Length = 32 (0x20)
Radius: Value (String) =
4d 1f 05 7d 00 00 01 37 00 01 ac 16 d8 48 01 c7 | M..}...7.....H..
4f 2a 17 9a 60 c4 00 00 00 00 00 00 0f 3c | O*..`........<
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 40 (0x28)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 34 (0x22)
Radius: Value (String) =
77 65 62 76 70 6e 3a 75 73 65 72 2d 76 70 6e 2d | webvpn:user-vpn-
67 72 6f 75 70 3d 44 65 6d 6f 2d 47 72 6f 75 70 | group=Demo-Group
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
02-15-2007 02:38 PM
02-21-2007 11:33 PM
Actually we don't use this feature, but I could test it and it worked.
In IAS you have to add the "Class" attribute with a value as "ou=
It worked for me both for IPSec and SSL VPNs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide