topic Re: AV Pairs for VPN Group binding with Radius and ASA in Network Access Control

AV Pairs for VPN Group binding with Radius and ASA

dbteo — Sun, 10 Mar 2019 21:55:15 GMT

Hi All,

what I want to do is to bind a specific vpn user with a specific vpn group using a Radius server for AAA and ASA as end point of the vpn.

Which is the correct AV pair to use in the communication?

Is there a list of all AV pairs usable with ASA and Radius?

All information are welcome (example, link manual and command, tips & tricks).

Thanks in advance,

Matteo

Additional info

Radius is a FreeRadius v 1.1.2

ASA is a ASA5520 v 7.2(1)

Re: AV Pairs for VPN Group binding with Radius and ASA

Vivek Santuka — Mon, 15 Jan 2007 12:47:53 GMT

For group binding we need to use the Class attribute, It is IETF attribute number 25.

The format is ou=;

Regards,

Vivek

Re: AV Pairs for VPN Group binding with Radius and ASA

dbteo — Mon, 15 Jan 2007 13:11:24 GMT

Thanks Vivek.

I was just using that AV pair and what I had as result is:

Raiusd output ->

Sending Access-Accept of id 234 to 192.168.0.253 port 1025

Framed-IP-Address = 172.26.101.1

Framed-IP-Netmask = 255.255.255.255

Service-Type = Framed-User

Class = 0x76706e67727070726f7661

Class is set in the postgres db on a freebsd machine where FreeRadius is running, the real value of Class is OU=vpngrpprova and the vpnclient is presenting its self as vpngrpprova2.

When authenticated and processed what I have is that the client is binded to vpngrpprova2 and not to vpngrpprova.

Where is the mistake?

Many thanks

Matteo

Re: AV Pairs for VPN Group binding with Radius and ASA

Vivek Santuka — Mon, 15 Jan 2007 15:56:05 GMT

Hi,

I think the missing ; is the culprit. The Class attribute is to be defined as :-

OU=vpngrpprova;

Let me know how this goes.

Re: AV Pairs for VPN Group binding with Radius and ASA

dbteo — Mon, 15 Jan 2007 16:16:37 GMT

Hi,

this is the content of the postreges db for Radius:

INSERT INTO radcheck VALUES (3, 'roberto', 'User-Password', '==', 'pass');

INSERT INTO radreply VALUES (19, 'roberto', 'Service-Type', '=', 'Framed-User');

INSERT INTO radreply VALUES (17, 'roberto', 'Framed-IP-Address', '=', '172.26.101.200');

INSERT INTO radreply VALUES (18, 'roberto', 'Framed-IP-Netmask', '=', '255.255.255.0');

INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'ou=vpngrpprova');

Re: AV Pairs for VPN Group binding with Radius and ASA

Vivek Santuka — Mon, 15 Jan 2007 18:06:25 GMT

Hi,

Need to change :-

INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'ou=vpngrpprova');

into

INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'ou=vpngrpprova;');

Re: AV Pairs for VPN Group binding with Radius and ASA

dbteo — Tue, 16 Jan 2007 08:45:54 GMT

Hi,

change made but it still doesnt work

INSERT INTO radcheck VALUES (3, 'roberto', 'User-Password', '==', 'pass');

INSERT INTO radreply VALUES (19, 'roberto', 'Service-Type', '=', 'Framed-User');

INSERT INTO radreply VALUES (17, 'roberto', 'Framed-IP-Address', '=', '172.26.101.200');

INSERT INTO radreply VALUES (18, 'roberto', 'Framed-IP-Netmask', '=', '255.255.255.0');

INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'ou=vpngrpprova;');

What else?

Ask me all info you need.

Thanks a lot

Matteo

Re: AV Pairs for VPN Group binding with Radius and ASA

Vivek Santuka — Tue, 16 Jan 2007 12:24:49 GMT

Maybe because the radius server is sending the class value in hex "Class = 0x76706e67727070726f7661"

Also the class value is case sensetive.

Re: AV Pairs for VPN Group binding with Radius and ASA

dbteo — Tue, 16 Jan 2007 12:44:41 GMT

Hi vsantuka,

thanks for your reply.

I have just done some other check using this software NTRadPing of Dialways .

This is a part of the FreeRadius output:

Sending Access-Accept of id 2 to 172.16.5.10 port 2163

Framed-IP-Address = 172.26.101.200

Framed-IP-Netmask = 255.255.255.0

Service-Type = Framed-User

Class = 0x6f753d76706e67727070726f76613b

This is what the client receives:

reply packet code=2 id=2 length=55

response: Access-Accept

Framed-IP-Address = 172.26.101.200

Framed-IP-Netmask = 255.255.255.0

Service-Type = Framed-User

Class=ou=vpngrpprova;

Maybe something is wrong in the ASA config?

Thanks

Matteo

Re: AV Pairs for VPN Group binding with Radius and ASA

Vivek Santuka — Tue, 16 Jan 2007 16:24:16 GMT

My bad. Forgot the most important thing.

We need to "Make sure OU is in capital letters and that there is a semicolon after the group name."

We have the semicolon but our "OU" is in lowercase.

Re: AV Pairs for VPN Group binding with Radius and ASA

dbteo — Tue, 16 Jan 2007 16:52:09 GMT

Dont worry...but with OU in uppercase we are still experiencing the problem.

This is the content of the db now:

INSERT INTO radreply VALUES (27, 'roberto', 'Class', '=', 'OU=vpngrpprova;');

INSERT INTO radreply VALUES (19, 'roberto', 'Service-Type', '=', 'Framed-User');

INSERT INTO radreply VALUES (17, 'roberto', 'Framed-IP-Address', '=', '172.26.101.200');

INSERT INTO radreply VALUES (18, 'roberto', 'Framed-IP-Netmask', '=', '255.255.255.0');

The tunnelgroup name specified in the pcf is vpngrpprova2.

And we are logged using vpngrpprova2 credential group.

Do you need other informations?

Thanks a lot

Matteo

Re: AV Pairs for VPN Group binding with Radius and ASA

Vivek Santuka — Tue, 16 Jan 2007 18:08:27 GMT

Duh ! Asa works differently - Not as concentrator etc.

With Asa the Class attribute will just provide the group policy name and not the group name.

The group policy on the Asa will then have the group to which the users needs to be bound.

Let's say you want to lock user rj123 into group RemoteGroup. Then on the

radius server define IETF attribute 25 Class "OU=RemotePolicy;" for this user. Here is the

config on the ASA:

group-policy RemotePolicy internal

group-policy RemotePolicy attributes

dns-server value 10.1.1.1 10.2.2.2

group-lock value RemoteGroup

Basically the OU set the group policy for this user and in the group policy

you lock the user into the tunnel-group that you want.

Re: AV Pairs for VPN Group binding with Radius and ASA

dbteo — Thu, 18 Jan 2007 16:12:17 GMT

Ok,

this works, but it's an half solution.

Because we would like to give away only one pcf that contains a valid group.

Then using only Radius authenticate the valid user using username and password.

What happens now is:

I have a pcf containing vpngrpprova2 and the user roberto password pass.

Using this and having as Radius reply Class=OU=gpvprova that group-lock to vpngrpprova the user is rejected because of the difference in tunnel-group (vpngroup in pcf != vpngroup in group-policy returned by Radius).

Instead we want the user authenticated because username and password are right and tunnel parameters are those of vpngrpprova tunnel-group.

I hope that my explanation is clear.

Matteo

ps: is it possible doing this request or something similar to for webvpn?

Many many thanks