topic Re: ASA - logging via radius with group name passed. in Network Access Control

ASA - logging via radius with group name passed.

marcin.mazurek — Sun, 10 Mar 2019 21:58:12 GMT

Hi,

I'm trying to setup ASA5520 with Radius to authenticate users with group

privileges.

Useing Radius with ASA to authenticate users is quite simple. When I try

to pass from asa tunnel-group name (with group-policy and attributes

attached) there is a problem that ASA dosn't pass any group name to

radius.

Is there any way to overcome it?

What I want to do is to apply different policies to username depending

with what tunnel-group name he logs in to webvpn. I assume one user may

be member of different groups.

Marcin

Re: ASA - logging via radius with group name passed.

fmeetz — Mon, 12 Feb 2007 14:33:33 GMT

The issue is the tunnel group name must be the IP address of the remote peer.

For example

tunnel-group 172.20.77.10 type ipsec-l2l

tunnel-group 172.20.77.10 ipsec-attributes

Re: ASA - logging via radius with group name passed.

marcin.mazurek — Mon, 12 Feb 2007 14:36:05 GMT

I'm trying to pass this in webvpn, not ipsec tunnel. Do You know if this is possible?

Re: ASA - logging via radius with group name passed.

astroman — Tue, 22 May 2007 14:04:48 GMT

It's possible.

Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.

Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.

Long winded, I know...any questions, please ask.

Re: ASA - logging via radius with group name passed.

ydemissie — Wed, 06 Jun 2007 15:31:37 GMT

I ran into a problem with ASA 7.0(6) because with that version you cannot specify an IP address pool in the group policy (only in the tunnel group). So, if the default tunnel-group does not have an IP pool assign to it, the client cannot get an IP address. With Version 7.2(2), you can assign an IP pool in both the Group Policy and the Tunnel-Group so you can assign a specific IP pool based on the attribute 25 received from the radius server.

Re: ASA - logging via radius with group name passed.

xnym — Fri, 08 Jun 2007 03:16:18 GMT

astroman,

You advice is really helpful! but I have a doubt on "Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group"

We shall define a group policy for a tunnel group. If we do not specify the default group policy for the default WebVPN tunnel group, is it harmless to specify one of the user-defined group policies? Or will it better to create a dummy group policies for this?

Re: ASA - logging via radius with group name passed.

astroman — Fri, 08 Jun 2007 09:28:15 GMT

I apologize if I was unclear...

Yes, you'll have to keep the default webvpn group policy when the default webvpn tunnel-group is built.

I have some other recommendations as far as keeping the default webvpn group locked down tightly via ACS, that I'll post about in a little while.

Any other questions, please let us know...