ACS 5.x / AD /w ASA VPN and group lock

mduling · ‎01-19-2011

Hello all. I'm trying to setup ACS 5.2 with an ASA v8.3.2 to lock users into VPN groups based on a users AD group. I've tried various combinations but the group lock isn't working. I've done steps 1 & 2 ...

1) Network Devices and AAA Clients -> Define VPN

2) Users and Identity Stores -> Setup AD and Directory Groups, test connection

... All good with that. Here is what I don't get.

Policy Elements:

Q1) Policy Elements - Do I need an authorization profile for each group:

Q2) What RADIUS attributes should I use to match my ASA tunnel-groups?

RADIUS-IETF attribute 25?

RADIUS-Cisco VPN 3000/ASA/PIX 7.x 85 (Tunnel-Group-Lock)?

Other?

Access Policies:

Q1) Do I need to enable and use group mapping?

Q2) Do I need a Network Access Authorization Policy for each group?

These are basic questions I know, but there are a number of possibilities and it just isn't clear to me how it should be. Any help is appreciated.

Jatin Katyal · ‎01-19-2011

Here you go:

1. OK

2. Once you have ACS integreated with AD, go to directory groups >> fetched the groups you need.

POLICY ELEMENTS:
------------------------------
1.There is no need to create authorization profile for each group.

2. Push RADIUS (Cisco VPN 3000/ASA/PIX 7.x+) check "[026/3076/085] Tunnel-Group-Lock"

ACCESS POLICIES:
-----------------------------

1.You only need to confgure group mapping if you want that user from the STAFF AD group should fall under STAFF ACS group on successful authentication.

2. Yes, if you need to configure multiple policies under network access authorization if you want to restrict different AD groups on different tunnel-groups.

Regds,

Jatin

Do rate helpful posts~

~Jatin

mduling · ‎01-19-2011

Thanks for the reply Jatin,

Ok, well I set it the way you said it my mac client fails to login. I look deeper and in the ACS report and it says the authentication and authorization policies matched correctly. The report says it is returning "Access-Accept" even though my mac is telling me that the authentication failed.

So then I tried changing the RADIUS params from 'Cisco VPN 3000/ASA/PIX 7.x+ Tunnel-Group-Lock' to RADIUS class 25 and my client succeeds with the vpn login, but I don't get bumped into the vpn group specified in AD.

That seems really odd behavior. Any idea what is wrong?

Mark

Jatin Katyal · ‎01-20-2011

YW!!!

I'm not sure that why it didn't work for you. However, I have seen this working in all my cases. This can also be accomplised using group-lock. However, the reason behind using tunnel-group-lock is;

On ASA, Group that used to be there on VPN3k has been made more granular, and is divided into "Group Policy" and "Tunnel Group".

And the end users connect to "Tunnel Group" and NOT to "Group Policy".

So in order to Lock User to a Group (Tunnel Group) on ASA, we need to configure following attribute on ACS's Group or User :

For RADIUS (Cisco VPN 3000/ASA/PIX 7.x+) check "[026/3076/085] Tunnel-Group-Lock"

and type the "Tunnel-Group" Name, syntax is case sensitive Tunnel-Group name as configured on ASA. Though on ACS you'll see successful authentication, but user will never be able to connect with any other group, than specified in the attribute.

What is the tunnel-group name and group-policy we are terminating VPN connection?

Could you please paste the o/p of ;

show run tunnel-group

show run aaa-server

show run group-policy

run the debug

debug aaa common 255

duplicate the issue, gather the debugs and paste it here.

Let me know if you have any questions.

Rgds,

Jatin

Do rate helpful posts-

~Jatin

mduling · ‎01-20-2011

Jatin,

The debug info on the ASA shows that the tunnel group to be associated is an "** Unresolved Attribute **" This is true with both Cisco attr 85 and IETF 25 RADIUS methods.

The attribute value is the container, correct? For example OU=vpn; or whatever. The ACS authorization policy matches the correct policy based on AD contents. I can see in ACS reports that the authorization policy matched the correct rule.

Maybe I'm confused as to how the contents of my vpngroup container get passed back to the ASA. I guess I thought it would be automatic.

Jatin Katyal · ‎01-20-2011

Hmm, there is command, you must be aware of to check the complete details when user succesfully connected.

show vpn-sessiondb

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s7_72.html#wp1135352

Rgds,

Jatin

Do rate helpful posts-

~Jatin

mduling · ‎01-21-2011

Okay, it seems to be working. I can configure my client with a generic group but after authentication the ASA pushes them into the tunnel-group matching the AD group contents. Here is what I did.

1) Network Devices and AAA Clients -> Define VPN

2) Users and Identity Stores -> Setup AD and Directory Groups

Here is a set of example AD directory groups for use below

ad.mycompany.com/grps/vpn/vpnusercategory1

ad.mycompany.com/grps/vpn/vpnusercategory2

ad.mycompany.com/grps/vpn/vpnusercategory3

The last item (vpnusercategoryx)is the contents of the vpn group. In other words in LDAP parlance the last item is the CN:

CN=vpnusercategory1,OU=vpn,OU=grps,DC=ad,DC=mycompany,DC=com

3) Leave the Directory Attribute tab alone, this is not needed.

4) Test AD setup with "Test Connection" button.

Ok, whereas in ACS 4.x you used an ACS group for each VPN group (I have only used a vpn3000 /w ACS 4), in ACS 5.x you need to use an Authorization Profile for each VPN tunnel group on the ASA. I'm on ASA code 8.3.2.

5) Make an Authorization Profile for each VPN group --three using my example above. In the Radius Attributes of each profile you'd set a RADIUS attribute to push the tunnel-group name back to the ASA.

Dictionary Type: RADIUS-Cisco VPN 3000/ASA/PIX 7.x

RADIUS Attribute: CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock

Attribute Type: String

Attribute Value: Static

Attribute contents: vpnusercategory1

The string above must be identical to a VPN tunnel-group. Ddon't use "OU=" just the bare name. I think you may need "OU=" if you use dictionary RADIUS-IETF attribute 25. Create the other 2 Authorization Profiles the same but push Attribute contents vpnusercategory2, and vpnusercategory3.

6) Now an Access Profile and check "Identity" and "Authorization". As has already been said, you only need to check and use group mapping if you want a user from a given AD group to fall under the ACS group on successful authentication. As far as I can tell, this isn't needed to simply get a user pushed into the AD group he belongs to.

7) Create 3 Network Access Authorization Policies to match the 3 authorization profiles and set the "Results" in each to the corresponding Authorization Profiles.

mduling · ‎02-04-2011

I was using the term 'group-lock' incorrectly. You can't use that to do what I wanted, which was to replicate the behavior of my vpn3000 setup described in the document below as follows: "The Cisco VPN 3000 Concentrator has the ability to lock users into a Concentrator group which overrides the group the user has configured in the Cisco VPN 3000 Client."

http://cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

In other words, on the ASA I want to have users configure a generic tunnel-group (say 'vpngeneric_tunnelgrp') that has an ACL blocking nearly everything, and have them bumped into another ASA policy-group based on their AD group membership after login. In this case you DON'T use "tunnel-group-lock" on your group policies on the ASA config (that is for a different purpose), you only need one tunnel-group (the generic one) on the ASA, and in each ACS authorization profile you push each policy-group (not tunnel-group) as RADIUS attribute 25 back to the ASA.

So here are the following mods to the instructions above in step 5 to push the policy-group to the ASA to override the default policy associated with the generic tunnel-group configured in the user's vpn client.

Dictionary Type: RADIUS-IETF

RADIUS Attribute: Class

Attribute Type: String

Attribute Value: Static

Attribute contents: OU=vpnusercategory1; (it is case sensitive, and precede by 'OU=' and follow with ';'

Now when you run 'debug aaa common 255' on the ASA and login, you'll see that the group-policy has changed during login.

---------------------

Checking simultaneous login restriction (max allowance=3) for user joeschmoe

AAA FSM: In AAA_Callback

user attributes:

1 User-Name(1) 7 "joeschmoe"

2 User-Password(2) 9 (hidden)

3 Class(25) 18 "OU=vpnusercategory1;"

4 Class(25) 25 "CACS:acsbox/****/******"

5 Server-Secret(4119) 8 (hidden)

6 Group-Policy(4121) 14 "vpnusercategory1"

7 AAA-AVP-Table(4243) 238 "[EE][00][00][00][03][00][00][00]x[00][00][00][8D][00]"

8 Password change username(20488) 7 "joeschmoe"

9 Password change password(20489) 9 (hidden)

10 DAP class attribute required(20510) 4 1

user policy attributes:

1 Filter-Id(11) 8 "acl_vpnusercategory1"

tunnel policy attributes:

1 Filter-Id(11) 8 "Nets_Global_Deny"

2 Group-Policy(4121) 6 "vpngeneric_tunnelgrp"

------------------------

jeff.christensen · ‎10-18-2012

Great information MDULING! Saved me TONS of time! Thank you for your contribution!

Alcides Miguel · ‎05-14-2015

Hi,

I know that its been a while since this thread was started... can you please help me with this?

I've Cisco ACS 4.2 and ASA 9.0(3) the client requirement is to connect with AnyConnect ro Clientless-SSL,

I've configured the IETF 25 Class, with no luck also tried 3076\085 Tunnel-Group-Lock with no luck,

please need help,

Best Regards,

AM