Solved: Re: PIX remote access - two groups

tomas.backo · ‎03-31-2008

Hello all,

please is it possible to distinguish two remote access groups on radius server?

For example i have two groups. One for employes and second for externalist.

I authentificate them on one radius server.

It is possible to distinguish between these two groups on radius server?

How can i do this?

Because when i create two tunnel groups and two policy groups, i am still able to access both groups with user from employe or externalist group. And when i look to log on IAS server, i wasnt able to distinguish between log entry when i login as employe and when i login as externalist :(

Thank you in advance

Tomas

Alan Huseyin Kayahan · ‎04-09-2008

Tomas,

Ok then, we have 2 tunnel-groups and 2 group-policies for tunnel-groups, here is what you have to do.

*First, we should lock the group-policies to tunnel groups so that one policy would not use the other tunnel-group. For achieving this, following is the sample CLI commands

tunnel-group test1 general-attributes

default-group-policy policy1

tunnel-group test2 general-attributes

default-group-policy policy2

group-policy policy1 attributes

group-lock value test1

group-policy policy2 attributes

group-lock value test2

*Now lets do the config on IAS. You should have 2 seperate Remote access policies created for your 2 different windows groups in IAS, for example

Remote access policy x

If Windows Group matches "yourdomain\externalist"

Grant access

Remote access policy y

If Windows Group matches "yourdomain\employees"

Grant access

Now in Remote access policy x, click edit profile>click advanced>click add. Choose "Class" attribute. This RA policy is for externalists, and lets say that we want to lock that windows group to test1 tunnel group. So enter OU=policy1 value in Class attribute. This is the group-policy name that we locked to tunnel-group test1

Follow the same path and enter OU=policy2 for Remote access policy y, the employees windows group.

Regards

View solution in original post

Alan Huseyin Kayahan · ‎03-31-2008

Hi Tomas,

Please explain what exactly you want to achieve.

You have two tunnel-groups now, and you dont want the user of tunnel-group externalist to access tunnel-group employee or what?

Regards

tomas.backo · ‎03-31-2008

Hi Husycisco,

firstly sorry for not very clearly written question, i was in a hurry :(

So what i need to do:

i have to different type of users: employers and externalist.

I am using radius server for authentification of users.

I am using pre-shared keys for both tunnel-groups. (I can't suppose, that user's from one group don't know pre-shared key from second)

Now I can connect as employer to employer's tunnel-group and as externalist to externalist's tunnel-group.

But because I am using the same radius server for both groups (so users for both groups are defined on radius - there are two windows groups exactly), I can also connect as employer to externalist's tunnel and vice-versa as externalist to employer's tunnel.

I understand this behaviour: radius isn't able to distinguish now, if employer is authenticating to employer's or externalist's tunnel. Radius only know, that this user is defined and permited to login to VPN. So access is granted to user.

My question is: is it possible to distinguish on radius which tunnel-group is user trying to log in? ( Maybe send accessed group as attribute from PIX to radius )

And is it possible to setup microsoft IAS policy to distinguish between request from employer's and externalist's group?

Thank you very much for you help.

Hope that now it is much more clear, and sorry my for my english :)

Tomas

reachonenetadm · ‎04-08-2008

I also have this need. I have an ASA and would like to present two different WebVPN customizations to each group. I think we may be looking at aaa authorization here, as opposed to authentication but not sure. Any help would be appreciated.

Alan Huseyin Kayahan · ‎04-08-2008

Oh, totally forgot that question, let me check the attribute and respond....

Alan Huseyin Kayahan · ‎04-08-2008

Tomas, if you are still interested, let me know and I will write a step by step

Alan Huseyin Kayahan · ‎04-08-2008

reachonenetadm,

Are you using Windows IAS?

reachonenetadm · ‎04-09-2008

I am using Windows IAS, yes.

tomas.backo · ‎04-08-2008

Hello Husycisco,

i am still very interested in :) and i will be very thankfull if you can help me with this.

Thank in advance

Tomas

Alan Huseyin Kayahan · ‎04-09-2008

Tomas,

Ok then, we have 2 tunnel-groups and 2 group-policies for tunnel-groups, here is what you have to do.

*First, we should lock the group-policies to tunnel groups so that one policy would not use the other tunnel-group. For achieving this, following is the sample CLI commands

tunnel-group test1 general-attributes

default-group-policy policy1

tunnel-group test2 general-attributes

default-group-policy policy2

group-policy policy1 attributes

group-lock value test1

group-policy policy2 attributes

group-lock value test2

*Now lets do the config on IAS. You should have 2 seperate Remote access policies created for your 2 different windows groups in IAS, for example

Remote access policy x

If Windows Group matches "yourdomain\externalist"

Grant access

Remote access policy y

If Windows Group matches "yourdomain\employees"

Grant access

Now in Remote access policy x, click edit profile>click advanced>click add. Choose "Class" attribute. This RA policy is for externalists, and lets say that we want to lock that windows group to test1 tunnel group. So enter OU=policy1 value in Class attribute. This is the group-policy name that we locked to tunnel-group test1

Follow the same path and enter OU=policy2 for Remote access policy y, the employees windows group.

Regards

reachonenetadm · ‎04-09-2008

That worked brilliantly for me. Thanks VERY much for posting this.

Cheers

Alan Huseyin Kayahan · ‎04-09-2008

You are welcome reachonenetadm, and thanks for rating. I hope it works for Tomas too.

Regards

camila9898 · ‎04-21-2008

is there any way to do it on PIX 6.3(5)

tomas.backo · ‎04-21-2008

Hi Husycisco,

it is working for me also.

I answer before 2 weeks .. respectively i think that i answer :) ... but in fact i only rate this conversation.

So one more time, thank you very much. You help me a lot with this problem!

Tomas

Alan Huseyin Kayahan · ‎04-21-2008

Tomas,

Nice to hear that it worked for you, and thanks for rating.

Regards