https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289494#M388455 <P>Hi,</P><P>I want to have my MS IAS RADIUS check on the connection profile that a SSL VPN user selected: Users can only authenticate for profiles that match their group membership. But a single user can be allowed to connect to more than one connection profile, so forcing a user into a profile (with the CLASS attribute in the RADIUS Access-accept) does not work.</P><P></P><P>user jdoe, member of RemoteUsers, can login on RemoteUsersProfile</P><P>user bigceo, member of RemoteUsers and of RemoteExecutives, can login on RemoteUsersProfile and on RemoteExecutiveProfile</P><P>user bofh, member of RemoteUsers and of RemoteAdmins, can login on RemoteUsersProfile and on RemoteAdminProfile</P><P></P><P>So the RADIUS needs to know on which connection profile a user wants to log into. Does anybody know where in the RADIUS request the ASA puts the selected connection profile? And how does that show up on an IAS server?</P><P></P><P>Thanks!</P> Sun, 10 Mar 2019 23:41:26 GMT PETER EIJSBERG 2019-03-10T23:41:26Z https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289494#M388455 <P>Hi,</P><P>I want to have my MS IAS RADIUS check on the connection profile that a SSL VPN user selected: Users can only authenticate for profiles that match their group membership. But a single user can be allowed to connect to more than one connection profile, so forcing a user into a profile (with the CLASS attribute in the RADIUS Access-accept) does not work.</P><P></P><P>user jdoe, member of RemoteUsers, can login on RemoteUsersProfile</P><P>user bigceo, member of RemoteUsers and of RemoteExecutives, can login on RemoteUsersProfile and on RemoteExecutiveProfile</P><P>user bofh, member of RemoteUsers and of RemoteAdmins, can login on RemoteUsersProfile and on RemoteAdminProfile</P><P></P><P>So the RADIUS needs to know on which connection profile a user wants to log into. Does anybody know where in the RADIUS request the ASA puts the selected connection profile? And how does that show up on an IAS server?</P><P></P><P>Thanks!</P> Sun, 10 Mar 2019 23:41:26 GMT https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289494#M388455 PETER EIJSBERG 2019-03-10T23:41:26Z https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289495#M388457 <HTML><HEAD></HEAD><BODY><P>Peter</P><P></P><P>This is an interesting question. For a while I wondered about doing something similar to this. But I have not been able to find any indication that the ASA passes the chosen profile/group in the authentication request to Radius. If someone can show us that this can be done it would be helpful.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 18 Sep 2009 14:36:49 GMT https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289495#M388457 Richard Burts 2009-09-18T14:36:49Z https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289496#M388458 <HTML><HEAD></HEAD><BODY><P>I've sniffed the radius request coming from the ASA - there is nothing in there referring to a connection profile. I wonder if this is configurable.</P></BODY></HTML> Fri, 18 Sep 2009 16:10:18 GMT https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289496#M388458 PETER EIJSBERG 2009-09-18T16:10:18Z https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289497#M388462 <HTML><HEAD></HEAD><BODY><P>Well, got an anwer from TAC: It is not possible. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P></BODY></HTML> Fri, 18 Sep 2009 18:18:55 GMT https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289497#M388462 PETER EIJSBERG 2009-09-18T18:18:55Z https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289498#M388464 <HTML><HEAD></HEAD><BODY><P>I'm struggling with *EXACTLY* the same issue. Having the connection profile in the RADIUS request would make perfect sense...</P><P></P><P>The best I (and Mike, my contact at Cisco) could come up with so far is to use DAP. From an AUTHENTICATION perspective, all of your users (bofh,jdoe,bigceo) can log on to any profile.</P><P></P><P>But then create DAP entries similar to:</P><P>- DAP1:</P><P> match ALL of:</P><P> connprofile RUProfile</P><P> memberof RemoteUsers</P><P>- DAP2:</P><P> match ALL of:</P><P> connprofile REProfile</P><P> memberof RemoteExecutives</P><P>- DAP3:</P><P> match ALL of:</P><P> connprofile RAProfile</P><P> memberof RemoteAdmins</P><P>- DAP4:</P><P> Terminate</P><P></P><P>That way you can use DAP to enforce ACLs.</P><P></P><P>Hope this helps...</P><P></P><P>Let me know if you come up with anything else. I'm dealing with the same issue here...</P></BODY></HTML> Sun, 20 Sep 2009 20:14:03 GMT https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289498#M388464 fsmontenegro 2009-09-20T20:14:03Z https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289499#M388468 <HTML><HEAD></HEAD><BODY><P>Why not use LDAP authentication back to your active directory (I'm assuming you're using AD because you're using IAS)? Using LDAP authentication will allow you to restrict access via groups in AD.</P><P></P><P>-Steve</P></BODY></HTML> Mon, 21 Sep 2009 17:23:23 GMT https://community.cisco.com/t5/network-access-control/ssl-vpn-asa-radius-and-connection-profiles/m-p/1289499#M388468 sbader48220 2009-09-21T17:23:23Z