03-03-2009 04:33 AM - edited 03-10-2019 04:21 PM
Dear All!
I have a RA-VPN configuration with a Cisco VPNC and a Cisco Secure ACS 4.2. I do VPN tunnel-group mapping accordind to the user RADIUS attribute 25 class (ou=...), and it works fine. I migrated this solution from the VPNC to an ASA5520 with 8.0(4) software image, and I can't do this tunnel-group mapping, althought the ACS configuration is the same (of course), and I think that the FW configuration is correct also.
All the tunnel-groups are internal, and the authentication is right everywhere, but the tunnel-mapping doesn't working.
Can anyone write a sample config to me for ASA to verify it?
Is there a special command (f.e. "tunnel-group-map enable ou") I should use?
Thanks for the answeres!
By(e)
Miki
Solved! Go to Solution.
03-03-2009 09:10 AM
The pools and ip addressing can be either define on the group policy with correct value, or you can use the ACS with either a static ip on the user or with the pool on either group or user, this attribute will be passed on the radius access accept as a framed-ip address value.
03-04-2009 06:54 AM
03-03-2009 07:47 AM
Hi Miki,
"Group mapping" works differently on the ASA as how it did on the CVPN, for instance what is mapped is the Group policy and the ASA and not the Tunnel Group.
So basically what you need to do is to create a group policy per group mapping you have an define the attributes there that you want the user to be affected by.
In other words when the ASA receives the Class value from the Radius server (ACS) instead of putting the user into the Tunnel group that the Class refers to, it looks for an existing Group-Policy with the same name and if existing it has the user affected by this Group-Policy, if there is none then it will be placed into the default one.
HTH
Ivan
03-03-2009 08:51 AM
Hi Ivan,
Thank you for your answer, now it works fine.
My problem with this solution is that I can't use the IP local pools assigned to the tunnel-groups...
I think I should use the ACS local pools, or "assigned IP from the AAA client pool" options, shouldn't I?
By(e)
Miki
03-03-2009 09:10 AM
The pools and ip addressing can be either define on the group policy with correct value, or you can use the ACS with either a static ip on the user or with the pool on either group or user, this attribute will be passed on the radius access accept as a framed-ip address value.
03-04-2009 02:01 AM
Hi!
Thank you very much, it works really.
Regards,
Miki
03-04-2009 06:54 AM
Hi Miki,
I am glad it works, please be sure to rate useful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide