Re: Return IAS custom attributes (webvpn:user-vpn-group )

acraick · ‎02-15-2007

We are trying to configure a microsoft IAS server to return the vpn group to WebVPN users connecting via an ASA5510.

We have configured Radius to return the custom Attribute however it doesn't seem as though the ASA firewall is accepting the attribute.

The users just get put into the default group.

Anyone know exactly how i need to configure the IAS server or Firewall.

Thanks

acraick · ‎02-15-2007

The debugs show the following ;

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 133).....

01 26 00 85 76 77 e4 4d 02 13 50 49 4e 6f 7c 05 | .&..vw.M..PINo|.

5a 8b 68 81 01 09 53 53 4c 44 65 6d 6f 02 22 90 | Z.h...(Removed).".

3a 83 a4 b6 7c (Removed)54 f9 fe 54 b5 | :...|.a..x.T..T.

50 83 5c 7e bc 73 47 7e ac ad 5c d3 1d a7 fa 1f | P.\~.sG~..\.....

10 32 30 33 2e 31 30 30 2e 32 32 38 2e 32 31 3d | .(Removed)=

06 00 (Removed)05 06 00 00 00 | .........b......

26 1a 24 00 00 (Removed) 3a 73 6f 75 72 | &.$......ip:sour

63 65 2d 69 70 3d 32 30 (Removed) 30 2e 32 32 | ce-ip=(Removed)b

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 38 (0x26)

Radius: Length = 133 (0x0085)

Radius: Vector: 7677E44D021350494E6F7C055A8B6881

Radius: Type = 1 (0x01) User-Name

Radius: Length = 9 (0x09)

Radius: Value (String) =

53 53(Removed)6f (Removed)

Radius: Type = 2 (0x02) User-Password

Radius: Length = 34 (0x22)

Radius: Value (String) =

90 3a 83 a4 (Removed)

b5 50 83 5c 7e(Removed)

Radius: Type = 31 (0x1F) Calling-Station-Id

Radius: Length = 16 (0x10)

Radius: Value (String) =

| (Removed)

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = (Removed)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x26

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 36 (0x24)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 30 (0x1E)

Radius: Value (String) =

69 70 3a (Removed)33 | ip:source-ip=(Removed)

RADIUS packet decode (response)

--------------------------------------

Raw packet data (length = 92).....

02 26 00 5c b0 9c 1d 6d 0d f7 a6 3c 98 7d 7c 71 | .&.\...m...<.}|q

8a 18 37 75 19 20 4d 1f 05 7d 00 00 01 37 00 01 | ..7u. M..}...7..

ac 16 d8 48 01 c7 4f 2a 17 9a 60 c4 00 00 00 00 | ...H..O*..`.....

00 00 0f 3c 1a 28 00 00 00 09 01 22 77 65 62 76 | ...<.(....."webv

70 6e 3a 75 73 65 72 2d 76 70 6e 2d 67 72 6f 75 | pn:user-vpn-grou

70 3d 44 65 6d 6f 2d 47 72 6f 75 70 | p=Demo-Group

Parsed packet data.....

Radius: Code = 2 (0x02)

Radius: Identifier = 38 (0x26)

Radius: Length = 92 (0x005C)

Radius: Vector: B09C1D6D0DF7A63C987D7C718A183775

Radius: Type = 25 (0x19) Class

Radius: Length = 32 (0x20)

Radius: Value (String) =

4d 1f 05 7d 00 00 01 37 00 01 ac 16 d8 48 01 c7 | M..}...7.....H..

4f 2a 17 9a 60 c4 00 00 00 00 00 00 0f 3c | O*..`........<

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 40 (0x28)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 34 (0x22)

Radius: Value (String) =

77 65 62 76 70 6e 3a 75 73 65 72 2d 76 70 6e 2d | webvpn:user-vpn-

67 72 6f 75 70 3d 44 65 6d 6f 2d 47 72 6f 75 70 | group=Demo-Group

rad_procpkt: ACCEPT

RADIUS_ACCESS_ACCEPT: normal termination

RADIUS_DELETE

acraick · ‎02-15-2007

packet dump of Radius return of customer Attributes.

oxys · ‎02-21-2007

Actually we don't use this feature, but I could test it and it worked.

In IAS you have to add the "Class" attribute with a value as "ou=;".

It worked for me both for IPSec and SSL VPNs.