We have a pair of 5520's and have just enabled the webvpn. What we would like to do is use radius (Class attribute OU=groupname) to lock a user to their vpn group when one connects and successfully authenticates with the webvpn. We currently authenticate users with the vpn client successfully, but without the class attribute and rely on pcf configs for the group assignment.
We would like to have it where a user can login on the webvpn and not have to choose what group they belong too. As it currently stands, our tests show that if you:
This will cause the user's tunnel group to be assigned as the default 'DefaultWEBVPNGroup' and the policy group default of 'DfltGrpPolicy'
My questions are:
1) How do you change the default tunnel policy to be something other than DefaultWEBVPNGroup?
2) How do you tell the ASA to use the 'Class' attribute from the Radius server for the webvpn authenticated user?
We use freeradius on a linux box.
I'm able to do it using 5510, MS 2003 AD as LDAP, and MS 2003 IAS as RADIUS.
- Create users and assign to their group in AD
- Create policy per user group. i.e. destination IP Address and ports.
User login by just knowing their username and password. Their usergroup is transparent to them, there is no drop-down list for user to select their group.
The downside of this is that you cannot assign different IP Pool per usergroup. If you want different IP Pool per user group, they wil lsee the drop-down list and they have to select their usergroup from the list. If they select the wrong usergroup, they will not be able to login. If you have too many usergroup, it wil lnot be pretty to see them all in the drop-down list.
We do not use MS 2003 for LDAP and RADIUS. We have a Linux radius implementation that is set to use system authentication that pulls information from NIS.
I hope this answers you Q
Default Group Policy is DfltGrpPolicy (System Default)
Default Tunnel Group is DefaultWEBVPNGroup
You cannot remove the above. However you can set things that you want to be default in DfltGrpPolicy. Then you can create multiple Group Policies per usergroup and set inherit for default settings set in DfltGrpPolicy. For example, usergroup1policy.
In tunnel Group, you can create multiple Tunnel Groups per usergroup. For example, usergroup1tunnel;
General > Basic > Group Policy: usergroup1policy
General > AAA > Authentication Server Group: your RADIUS server
General > AAA > Authorization Server Group: your RADIUS server
General > Client Address Assignment > Address Pools: your address pool
General > Advanced > Interface-Specific Authentication Server Groups > Interface: inside
General > Advanced > Interface-Specific Client IP Address Pools > Interface: inside
General > Advanced > Interface-Specific Client IP Address Pools > Address Pool: your address pool
WebVPN > Basic > Authentication: AAA
WebVPN > Basic > DNS Group: DefaultDNS
WebVPN > Basic > Alternative group policy: usergroup1policy
WebVPN > Group Aliases and URLs > Group Aliases: usergroup1 <<< this will show in drop-down list if enabled.
WebVPN > Web Page > Webpage Customization: DfltCustomization
Properties > AAA Setup > AAA Servers
Server Group: server name
Accounting Mode: Single
Reactivation Mode: depletion
Dead Time: 10 minutes
Max Failed Attempts: 3
Servers in Selected Group
Interface Name: Inside
Server Name or IP Address: your entries here
Timeout: 10 seconds
Server Authentication Port: your entries here (i.e. 1645)
Server Accounting Port: your entries here (i.e. 1646)
Retry Interval: 10
Server Secrete Key: your entries here should be the same as configured in the RADIUS server
Common Password: NONE
ACL Netmask Convert: Wildcard
There's no special atribute to set it to "Class". However the "Class" setting is done in MS 2003 IAS.
I created routing object for each usergroup. This is the IP Address/network they are allowed to access. The routing object called will be called in the usergroup Group Policy to create permissions in General > Filter to create ACL and ACE
In the Remote Access Policy of MS 2003 IAS;
- Create a policy for each usergroup
- In the Advanced Tab, add "Class" and type "OU=usergroup_name_in_AD;"
I should clarify that the Class setting is being sent from our radius server.
Since it does this I would like the ASA to determine what VPN group a user should be assigned to when they login via the webvpn.
If disabling the drop-down list does not allow a user to get assigned to their configured group, then how can I get group-lock to work.
The use case would be that the drop-down list shows several groups. A user is assigned to one of them on the radius server. If a user selects a group that they are not assigned to, then authentication will not be allowed.
The goal is to prevent a user from just using any group.
Check out this link on how to lock users in the group. It is document ID 13831.
I've set this up already. The 'class' gets sent but the ASA doesn't seem to enforce the group-lock via webvpn.
What am I missing?
I assume that you have the correct syntax: 25="OU=filtergroup;" The filter group name is case sensitive. Whatever the filter group name (case sensitive) that you setup in ASA, setup the name group name (case sensitive) in RADIUS. Also, make sure there is a ";" after the group name. One last thing, you might need to restart the service in RADIUS after adding or changing the group name. I don't know FREERADIUS.