How do I lock VPN users into a certain group-policy with ASA-ACS 5.2?

davebornack · ‎02-11-2011

I have a Cisco ASA (8.2) with several group-policies setup. By default, I can hit the SSL page, and have a selection of available group-policies for a user to login to. I want to have different ACLs for each group, to go along with the subnet that each particular group hands out. Right now, as long as a user is authenticated through AAA, they can log in to any group they select, and therefore, have more permissions than another group.

I know how to hide the list, but I need to be able to assign a specific group to a user based on an attribute in ACS.

I've setup ACS to use the "CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock" Atttribute, to which I match the group-policy name in the ASA, to the attribute on the user account in ACS.

This doesn't seem to work, and it just throws the user into DfltGrpPlcy, which doesn't give the user anything. So it's either wide-open, or it's broken.

I'm using RADIUS authentication and not TACACS, so it should retrieve the attributes, and according to the ACS, it grabs the attribute during the authentication process.

Let me know if I can answer any questions.

Thanks!

Herbert Baerten · ‎02-24-2011

Hi Dave,

not sure why this is not working, you may want to check "debug radius" to verify the ASA is getting the correct attribute. Note that the value should be the name of a Tunnel-group, not of a Group-policy.

Alternatively, toss out the tunnel-group-lock attribute and instead push the group-policy (not the tunnel-group) as IETF attribute 25 ('Class').

This will apply that group-policy regardless of which tunnel-group the user selects (or of course in that case you can hide the group selection box).

cfr. http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

hth

Herbert