MS IAS and webvpn access

snoopdogg · ‎01-09-2006

I have configured my vpn concentrator to use M$ ias so users can authenticate using Acitve Directory. User with the software client are able to connect using active directory. web vpn users are unable to login using active directory but can login using the internal database. Cisco documentation says to do this for radius for webvpn

Assigning WebVPN Users to Groups

Using a RADIUS server to authenticate users, assign users to groups by following these steps:

--------------------------------------------------------------------------------

Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group.

Step 2 Set the class attribute to the group name in the format OU=group_name

For example, to set a WebVPN user to the SSL_VPN group, set the Radius Class Attribute to a value of OU=SSL_VPN; (Don't omit the semicolon.)

I don't see where to configure this option on my vpn 30000 concentrator. I am thinking this an option for Cisco ACS server.

BrettBartlett · ‎01-10-2006

Hey, snoopdogg - I'm doing exactly the same thing - using M$ IAS to authenticate WebVPNO users. The class attribute is something you setup in IAS. If you go to the IAS policy on the Advanced tab, add an attribute & look for "Class" in the RADIUS Standard attribues section near the top. That's where you can add the "OU=YourGroupName;".

That's all nice & stuff, but it doesn't make everything work for me. The user ID gets authenticated OK against the rule I created, but the group also tries to authenticate to RADIUS as a user, and it fails due to unknown username & password. Any ideas on fixing that?