ACS 5.3 Service selection Rules to differenciate webvpn and ipse

ochalmers · ‎08-26-2012

Hi Guys,

I'm working with an ACS 5.3 and ASA 8.2.5 and i've configured several access services for webvpn and ipsec remote access profiles but i haven't found which radius attribute can help me to differenciate among them in the service selection rules.

Thanks in advance

Oscar

Tarik Admani · ‎08-26-2012

Are you trying configure dynamic access policies, to assign the user the proper permissions (either web or svc)? If so you can set any value for the radius class attribute in ACS (under the authorization profile) and map that to the authorization rule for VPN users. Then use that same radius attribute in ASDM and map that in the dap condition on the ASA.

If you are trying to validate if the user is coming through the correct tunnel group then that radius attribute in the access-request is "CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name", you can create a condition to see if the correct user is connecting to the correct tunnel group.

Let me know if that is what you are looking for.

Thanks,

Tarik Admani
*Please rate helpful posts*

ochalmers · ‎08-27-2012

Hi Tarik, I configured two vpn profiles A=Employees B=IT Team to connect through a web portal but i want to be able to differenciate which profile is being used by a user because each one of them have an autorization profile associated, i've used "CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name" in the service selection rule but it seems not be working as expected.

Tarik Admani · ‎08-27-2012

Ok,

It looks like you are setting the correct rule in making the authorization decisio so if UserA authenticates through Tunnel-Group Employee, then you can send them back the Radius Attribute - Class=Employee, from there you can create a DAP policy and use the radius attribute.25 and set that equal to Employee and choose the settings in the DAP record that you want....anyconnect client, or webvpn only with a bookmark list.

You can also assign them to a group policy following this guide (even though it is for acs 4 just assign the attributes like you are doing).

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

Here is another helpful thread:

https://supportforums.cisco.com/thread/2063181

One more troubleshooting step is to reset the hit counters on the ACS itself....then force update the hit counters (takes 15 minutes to refresh by default) to see if you are hitting the right rules.

Tarik Admani
*Please rate helpful posts*

ochalmers · ‎08-28-2012

Hi Tarik, i have another question

If you have a user who has two vpn profiles (webvpn, ipsec remote access) what radius attribute can i use to know which profile is being using, i've been testing with "CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name" in the service selection rules but with no luck. Is there a debug or maybe a command to use to watch what is happening behind the scene.

Thanks for your support.

Oscar

Tarik Admani · ‎08-28-2012

Oscar,

The attribute CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name is in the access request, and this is the tunnel group (connection profile) that the user is trying to connect through.

You can assign the user the proper group policy based on the class attribute. So if you have a group-polcy that is named "webvpn" and another that is named "anyconnect" then you can send back the radius-ietf class attribute and set that equal to "OU=webvpn;" or "OU=anyconnect;".

I hope that helps!

Tarik Admani
*Please rate helpful posts*

ACS 5.3 Service selection Rules to differenciate webvpn and ipsec remote access