Cisco ASA : Group-Policy allocation from radius class ?
I've got a problem, I currently have an AnyConnect profile/tunnel-group which works as follows (this part is not the problem) :
The user authenticates over a Radius server (freeradius)
The Radius server connects to a LDAP database, and verify the user credentials
Then, after the LDAP response (OK / NOK), the Radius Server reply to the ASA, and specify the value of the radius class attribute IETF-Class-25 to the ASA (OU=<group-policy>)
Then, the ASA checks if such a group-policy exists (the name as to be the same that the one from the radius), and if so, the ASA "places" the user in the group-policy
Well, above were just some explanations. It works perfectly with Cisco AnyConnect client or any Cisco SSL-VPN compliant client (openconnect under linux for instance).
The problem is, this doesn't work with IPsec clients, and i don't know exactly why. On the ASA, the connection profile is allright for AnyConnect and for IPsec/IKEv1. The difference is the configuration, with IPsec/IKEv1, as we use it, you need to enter a pre-shared key, and the configuration for the client is not the same (need to enter a tunnel-group, and the pre-shared key as the one on the IPsec/IKEv1 connection profile). But the system of "group-policy attribution from a radius attribute" doesn't work with such IPsec clients.
Logs say something like : "not possible to attribute an IP address ...", as it doesn't place the user in the right group-policy.
Resolved : it was a Radius issue ! With IPsec protocol it seems that it didn't return the group from the LDAP database, but
a default attribute from the users file. That's now fixed.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :