Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
13001
Views
0
Helpful
0
Comments

How to configure group lock through the RADIUS server on an ASA

TCC_2
Level 10
Level 10

‎06-17-2009 10:17 PM - edited ‎02-21-2020 09:54 PM

Resolution

In order to configure group lock, send the group policy name in the class attribute 25 on the Remote Authentication Dial-In User Service (RADIUS) server and choose the group to lock the user into within the policy.

For example, in order to lock the Cisco 123 user into the RemoteGroup group, define the Internet Engineering Task Force (IETF) attribute 25 class OU=RemotePolicy; for this user on the RADIUS server.

Refer to this configuration example in order to configure group lock on an Adaptive Security Appliance (ASA):

group-policy RemotePolicy internal
group-policy RemotePolicy attributes
dns-server value x.x.x.x
group-lock value RemoteGroup

tunnel-group RemoteGroup type ipsec-ra
tunnel-group RemoteGroup general-attributes
address-pool cisco
authentication-server-group RADIUS-Group
default-group-policy RemotePolicy

Note: OU sets the group policy, and the group policy locks the user into the preferred tunnel-group.

Refer to Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server for more information to configure the group lock on the VPN Concentrator.

ASA Software Version

7.1

7.2

ASA Models

ASA 5510

Features & Tasks

Group Lock

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents