Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
0
Helpful
5
Replies

Group-lock doesn't work

Go to solution
fizban001
Level 1
Level 1

‎10-23-2014 03:31 AM

Hi,

I enabled the group-lock features on a VPN C2L group but the ASA doesn't add the tunnel-group-name value in the packet radius send to authorization server.

In the past I used the group-lock feature several times with no problem. This is the first time it doesn't work and I wonder if this may depends by the old asa version I'm using ( 8.6.1(2) ).

Here the conf and the asa debug radius all:

 

Configuration:

group-policy Network_Users attributes
 dns-server value x.x.x.x
 vpn-tunnel-protocol ikev1
 group-lock value Network_Users
 vlan 24

 

 

Debug radius all:

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 156).....
01 cb 00 9c 97 84 6d a2 33 f0 69 ee 8f 1c 25 fa    |  ......m.3.i...%.
ab 08 a1 c6 01 0a 78 30 31 35 35 36 32 33 02 12    |  ......xxxxxxxx..
14 80 52 4a 72 0e e5 a1 69 d6 ee d3 0a d3 b9 67    |  ..RJr...i......g
05 06 8b 20 c0 00 06 06 00 00 00 02 07 06 00 00    |  ... ............
00 01 1e 0e 35 2e 39 37 2e 31 35 39 2e 32 32 30    |  ....x.x.x.x
1f 0f 39 34 2e 33 37 2e 32 34 38 2e 32 30 32 3d    |  ..94.37.248.202=
06 00 00 00 05 42 0f 39 34 2e 33 37 2e 32 34 38    |  .....B.94.37.248
2e 32 30 32 04 06 ac 16 05 21 1a 22 00 00 00 09    |  .202.....!."....
01 1c 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 39    |  ..ip:source-ip=9
34 2e 33 37 2e 32 34 38 2e 32 30 32                |  4.37.248.202

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 203 (0xCB)
Radius: Length = 156 (0x009C)
Radius: Vector: 97846DA233F069EE8F1C25FAAB08A1C6
Radius: Type = 1 (0x01) User-Name
Radius: Length = 10 (0x0A)
Radius: Value (String) =
78 30 31 35 35 36 32 33                            |  xxxxxxxx
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
14 80 52 4a 72 0e e5 a1 69 d6 ee d3 0a d3 b9 67    |  ..RJr...i..g
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x8B20C000
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 7 (0x07) Framed-Protocol
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x1
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 14 (0x0E)
Radius: Value (String) =
35 2e 39 37 2e 31 35 39 2e 32 32 30                |  x.x.x.x
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 15 (0x0F)
Radius: Value (String) =
39 34 2e 33 37 2e 32 34 38 2e 32 30 32             |  94.37.248.202
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 15 (0x0F)
Radius: Value (String) =
39 34 2e 33 37 2e 32 34 38 2e 32 30 32             |  94.37.248.202
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 172.22.5.33 (0xAC160521)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 34 (0x22)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 28 (0x1C)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 39 34 2e    |  ip:source-ip=94.
33 37 2e 32 34 38 2e 32 30 32                      |  37.248.202
send pkt 172.22.39.1/1812
RADIUS_SENT:server response timeout
radius mkreq: 0x1a6
alloc_rip 0x00007ffec924aa48
    new request 0x1a6 --> 204 (0x00007ffec924aa48)
got user 'xxxxxxxx'
got password
add_req 0x00007ffec924aa48 session 0x1a6 id 204
RADIUS_DELETE
remove_req 0x00007ffec9249ec0 session 0x1a5 id 203
free_rip 0x00007ffec9249ec0
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=94.37.248.202

RADIUS packet decode (authentication request)

 

 

As said before, the packet doesn't contain the ID 146 Tunnel-Group-Name that usually was added when the group-lock was enable. I'm talking of this:

Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 32 (0x20)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 26 (0x1A)
Radius: Value (String) =
54 45 4c 5f 56 50 4e 5f 49 6e 74 72 61 6e 65 74    |  Network_Users
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 150 (0x96) Client-Type
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 1 (0x0001)

 

 

Thanks,

Maurizio

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to fizban001

‎10-25-2014 12:18 PM

I am wondering if your issue is related to this bug:

CSCsw31922

Perhaps upgrading to 8.6.1(5) or higher will solve the issue.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎10-24-2014 04:49 AM

is Network_Users also the name of the tunnel-group?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
fizban001
Level 1
Level 1
In response to Marius Gunnerud

‎10-24-2014 08:12 AM

Sure

tunnel-group Network_Users type remote-access

tunnel-group Network_Users general-attributes

 address-pool POOL1

 authentication-server-group Radiator-MI

 default-group-policy Network_Users

tunnel-group Network_Users ipsec-attributes

 ikev1 pre-shared-key *****

 

I have done the identical VPN configuration on an another ASA (with version 9.1) and on this ASA the tunnel-group-name was correctly added to the radius packet and the group-lock works correctly.

Yesterday I compared the two configuration (the one on ASA 9.1 and the one on 8.6.1(2) ), line by line, but I found no difference...

For this reasons I figured out it could depends on the version 8.6.1(2). I'm going to be mad...

 

 

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to fizban001

‎10-25-2014 12:18 PM

I am wondering if your issue is related to this bug:

CSCsw31922

Perhaps upgrading to 8.6.1(5) or higher will solve the issue.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
fizban001
Level 1
Level 1
In response to Marius Gunnerud

‎11-04-2014 05:33 AM

For the record, it was a bug.

I upgraded the ASA to 9.1(3) and the issue was solved.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to fizban001

‎11-04-2014 06:38 AM

Glad you got it sorted! -- Please remember to select a correct answer and rate helpful posts
--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents