group-policy TEST internal group-policy TEST attributes dns-server value 192.168.1.1 vpn-filter value vpnclients_filter vpn-tunnel-protocol IPSec svc ipsec-udp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnclients_splitTunnelAcl
group-policy vpnclients internal group-policy vpnclients attributes dns-server value 192.168.1.1 vpn-filter value vpnclients_filter vpn-tunnel-protocol IPSec svc ipsec-udp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnclients_splitTunnelAcl
Group lock works a little differently on the ASA platform. IIf you configure the ACS with Radius Class Attribute #25 to send OU=xxxxx, the ASA interprets this as the group-policy that should be associated to the connecting user. Within this group policy, you can configure a tunnel group lock using the "group-lock" command. Alternatively, you can enable Cisco ASA Vendor Specific Attribute (VSA) #85 - Tunnel-Group-Lock = in ACS to identify what tunnel group the connecting user should be permitted to access. Based on the config snippet you provided, I would expect all users to terminate on the DefaultWEBVPNGroup tunnel group, however, users may be associated with different group policies.
I know this is a very old post however I wish you are able to help me. I've been trying to configure group locking with an ACS 5.2. I could find the attributes 33 and 85 in the RADIUS dictionary however when I try to select this attributes in an access policy they are not shown there.
In the old ACS 4.x you can enable or disable the attributes to show in the User or Group Settings in Interface Configuration, but here in ACS 5.2 I can not find a similar option. There is not an enable button or check box in anywhere. Could you please help me on this?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...