07-12-2012 11:59 AM - edited 03-11-2019 04:30 PM
On ASA we utilize the group-lock to make sure that a user is logging into the correct tunnel group and match that against the OU attribute the user exists in on the radius server. The issue we have is that some of our users need to belong to multiple groups. Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.
Is there a way to get the ASA to end the group-lock value in the OU of the radius request so the server can validate if the user is a member of that group.
07-20-2012 12:08 PM
Hi Bro
If you were to remove the "group-lock" command on a username that needs to belong to multiple tunnel-groups, does this work for you? By the way, just to understand better, why does a user need to belong in multiple tunnel-groups? Please do highlight and enlight?
The reason I asked is because the function of the "group-lock: command is to tie the username down to a fixed set of parameters that's define in the group-policy.
07-22-2012 02:16 AM
Some of our users need to belong to multiple groups, like a Manager for an account that needs to access his agents VPN group for testing and the corporate group in general for enhanced access. Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.
Is there a way to get the ASA to send the group-lock value in the OU of the radius request, so the server can validate if the user is a member of that group instead?
07-22-2012 10:02 AM
Hi Bro
Is your RADIUS server Cisco ACS 5.X?
07-22-2012 10:26 AM
No, it is Microsoft 2008 Radius server
07-25-2012 03:34 AM
Hi Bro
As you know, the group-lock feature is simply to map the incoming VPN usernames to a specific tunnel-group, that's all. In that tunnel-group, you would then have the command “authentication-server-group XXXX” pointing the authentication to your Microsoft 2008 Radius server. That’s it. The job of your Cisco ASA is now down.
Hence, in your Microsoft 2008 Radius server, which is part of the same domain as your Windows AD, you will need to bind the VPN username/group to multiple OUs. You can even assign these VPN usernames with static DHCP POOL IP. This can be achieved if the Radius server was Cisco ACS v4.2 using the IETF RADIUS Attributes. I believe this is something you’d need to work with your Microsoft 2008 Radius server vendor.
P/S: If you think this comment is useful, please do rate them nicely :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide