Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1178
Views
0
Helpful
5
Replies

ASA- SSL / Clientless SSL VPN with NPS

MATHEW KALLELIL
Level 4
Level 4

‎07-12-2012 11:59 AM - edited ‎03-11-2019 04:30 PM

On ASA we utilize the group-lock to make sure that a user is logging into the correct tunnel group and match that against the OU attribute the user exists in on the radius server.  The issue we have is that some of our users need to belong to multiple groups. Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.

Is there a way to get the ASA to end the group-lock value in the OU of the radius request so the server can validate if the user is a member of that group. 

Labels:
0 Helpful
5 Replies 5

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-20-2012 12:08 PM

Hi Bro

If you were to remove the "group-lock" command on a username that needs to belong to multiple tunnel-groups, does this work for you? By the way, just to understand better, why does a user need to belong in multiple tunnel-groups? Please do highlight and enlight?

The reason I asked is because the function of the "group-lock: command is to tie the username down to a fixed set of parameters that's define in the group-policy.

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

MATHEW KALLELIL
Level 4
Level 4
In response to Ramraj Sivagnanam Sivajanam

‎07-22-2012 02:16 AM

Some of our users need to belong to multiple groups, like a Manager for an account that needs to access his agents VPN group for testing and the corporate group in general for enhanced access.  Since Radius servers do a top down match on the request, the OU returned is the first group the user belongs to which means each user is stuck in one login option.

Is there a way to get the ASA to send the group-lock value in the OU of the radius request, so the server can validate if the user is a member of that group instead?

0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to MATHEW KALLELIL

‎07-22-2012 10:02 AM

Hi Bro

Is your RADIUS server Cisco ACS 5.X?

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

MATHEW KALLELIL
Level 4
Level 4
In response to Ramraj Sivagnanam Sivajanam

‎07-22-2012 10:26 AM

No, it is Microsoft 2008 Radius server

0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to MATHEW KALLELIL

‎07-25-2012 03:34 AM

Hi Bro

As you know, the group-lock feature is simply to map the incoming VPN usernames to a specific tunnel-group, that's all. In that tunnel-group, you would then have the command “authentication-server-group XXXX” pointing the authentication to your Microsoft 2008 Radius server. That’s it. The job of your Cisco ASA is now down.

Hence, in your Microsoft 2008 Radius server, which is part of the same domain as your Windows AD, you will need to bind the VPN username/group to multiple OUs. You can even assign these VPN usernames with static DHCP POOL IP. This can be achieved if the Radius server was Cisco ACS v4.2 using the IETF RADIUS Attributes. I believe this is something you’d need to work with your Microsoft 2008 Radius server vendor.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card