cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1261
Views
0
Helpful
5
Replies

ASA- SSL / Clientless SSL VPN with NPS

MATHEW KALLELIL
Level 4
Level 4

On ASA we utilize the group-lock to make sure that a user is logging into the correct tunnel group and match that against the OU attribute the user exists in on the radius server.  The issue we have is that some of our users need to belong to multiple groups. Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.

Is there a way to get the ASA to end the group-lock value in the OU of the radius request so the server can validate if the user is a member of that group. 

5 Replies 5

Hi Bro

If you were to remove the "group-lock" command on a username that needs to belong to multiple tunnel-groups, does this work for you? By the way, just to understand better, why does a user need to belong in multiple tunnel-groups? Please do highlight and enlight?

The reason I asked is because the function of the "group-lock: command is to tie the username down to a fixed set of parameters that's define in the group-policy.

Warm regards,
Ramraj Sivagnanam Sivajanam

Some of our users need to belong to multiple groups, like a Manager for an account that needs to access his agents VPN group for testing and the corporate group in general for enhanced access.  Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.

Is there a way to get the ASA to send the group-lock value in the OU of the radius request, so the server can validate if the user is a member of that group instead?

Hi Bro

Is your RADIUS server Cisco ACS 5.X?

Warm regards,
Ramraj Sivagnanam Sivajanam

No, it is Microsoft 2008 Radius server

Hi Bro

As you know, the group-lock feature is simply to map the incoming VPN usernames to a specific tunnel-group, that's all. In that tunnel-group, you would then have the command “authentication-server-group XXXX” pointing the authentication to your Microsoft 2008 Radius server. That’s it. The job of your Cisco ASA is now down.

Hence, in your Microsoft 2008 Radius server, which is part of the same domain as your Windows AD, you will need to bind the VPN username/group to multiple OUs. You can even assign these VPN usernames with static DHCP POOL IP. This can be achieved if the Radius server was Cisco ACS v4.2 using the IETF RADIUS Attributes. I believe this is something you’d need to work with your Microsoft 2008 Radius server vendor.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
Review Cisco Networking for a $25 gift card