https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998158#M439522 <HTML><HEAD></HEAD><BODY><P>Hi Bro</P><P>If you were to remove the "group-lock" command on a username that needs to belong to multiple tunnel-groups, does this work for you? By the way, just to understand better, why does a user need to belong in multiple tunnel-groups? Please do highlight and enlight?</P><P></P><P>The reason I asked is because the function of the "group-lock: command is to tie the username down to a fixed set of parameters that's define in the group-policy.</P></BODY></HTML> Fri, 20 Jul 2012 19:08:04 GMT Ramraj Sivagnanam Sivajanam 2012-07-20T19:08:04Z https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998157#M439521 <P>On ASA we utilize the group-lock to make sure that a user is logging into the correct tunnel group and match that against the OU attribute the user exists in on the radius server.&nbsp; The issue we have is that some of our users need to belong to multiple groups. Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.</P><P></P><P>Is there a way to get the ASA to end the group-lock value in the OU of the radius request so the server can validate if the user is a member of that group.&nbsp; </P> Mon, 11 Mar 2019 23:30:29 GMT https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998157#M439521 MATHEW KALLELIL 2019-03-11T23:30:29Z https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998158#M439522 <HTML><HEAD></HEAD><BODY><P>Hi Bro</P><P>If you were to remove the "group-lock" command on a username that needs to belong to multiple tunnel-groups, does this work for you? By the way, just to understand better, why does a user need to belong in multiple tunnel-groups? Please do highlight and enlight?</P><P></P><P>The reason I asked is because the function of the "group-lock: command is to tie the username down to a fixed set of parameters that's define in the group-policy.</P></BODY></HTML> Fri, 20 Jul 2012 19:08:04 GMT https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998158#M439522 Ramraj Sivagnanam Sivajanam 2012-07-20T19:08:04Z https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998159#M439523 <HTML><HEAD></HEAD><BODY><P>Some of our users need to belong to multiple groups, like a Manager for an account that needs to access his agents VPN group for testing and the corporate group in general for enhanced access.&nbsp; Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.</P><P></P><P>Is there a way to get the ASA to send the group-lock value in the OU of the radius request, so the server can validate if the user is a member of that group instead? </P></BODY></HTML> Sun, 22 Jul 2012 09:16:55 GMT https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998159#M439523 MATHEW KALLELIL 2012-07-22T09:16:55Z https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998160#M439524 <HTML><HEAD></HEAD><BODY><P>Hi Bro</P><P>Is your RADIUS server Cisco ACS 5.X?</P></BODY></HTML> Sun, 22 Jul 2012 17:02:05 GMT https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998160#M439524 Ramraj Sivagnanam Sivajanam 2012-07-22T17:02:05Z https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998161#M439525 <HTML><HEAD></HEAD><BODY><P>No, it is Microsoft 2008 Radius server</P></BODY></HTML> Sun, 22 Jul 2012 17:26:58 GMT https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998161#M439525 MATHEW KALLELIL 2012-07-22T17:26:58Z https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998162#M439526 <HTML><HEAD></HEAD><BODY><P style="text-align: justify;">Hi Bro</P><P style="text-align: justify;">As you know, the group-lock feature is simply to map the incoming VPN usernames to a specific tunnel-group, that's all. In that tunnel-group, you would then have the command “authentication-server-group XXXX” pointing the authentication to your Microsoft 2008 Radius server. That’s it. The job of your Cisco ASA is now down.</P><P></P><P style="text-align: justify;">Hence, in your Microsoft 2008 Radius server, which is part of the same domain as your Windows AD, you will need to bind the VPN username/group to multiple OUs. You can even assign these VPN usernames with static DHCP POOL IP. This can be achieved if the Radius server was Cisco ACS v4.2 using the IETF RADIUS Attributes. I believe this is something you’d need to work with your Microsoft 2008 Radius server vendor.</P><P></P><P></P><P></P><P>P/S: If you think this comment is useful, please do rate them nicely <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Wed, 25 Jul 2012 10:34:35 GMT https://community.cisco.com/t5/network-security/asa-ssl-clientless-ssl-vpn-with-nps/m-p/1998162#M439526 Ramraj Sivagnanam Sivajanam 2012-07-25T10:34:35Z