Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
5
Helpful
1
Replies

ASA VPN RADIUS 25 Attirbute

martinbuffleo
Level 1
Level 1

‎02-19-2019 06:50 AM

When trying to follow http://www.dasblinkenlichten.com/using-radius-attributes-during-webvpn-logon/

 

If we remove the list profiles option we get the error no IP address assign, and connection fails

 

If we leave select a profile then each of the profiles connects ok.

 

But my contractors could select employees and visa versa.

 

As a first point can someone clarify if its Name=Class and Value should return 'ou=Contractors;' or 'Contractors'

 

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-20-2019 06:17 AM

IF you remove the list profiles option, the users would be falling under the DefaultWebVPN group connection profile. In your case, I think you need to set up 1 Connection profile so that users can fall into that and get a different group-policy based on AD. The steps to do this:

 

1) Set up a Connection profile say "AnyConnect VPN"

2) Set the group-url to "https://<ASA-fqdn>

3) Disable the list tunnel-group option.

4) Configure your group-policies per AD groups. Also create a Group-policy called "NoAccess" with simultaneous login =0. Assign this as defaul-group-policy for Connection-profile above.

5) Set your Radius Authorization condition to return "OU=<group-policy>" name per AD group. I believe you can also return just "<Group-policy-name".

 

User experience would be that they only see username and password field when they hit the ASA FQDN. Based on credentials, they will automatically receive group-policy and corresponding permissions set. IF they don't match any conditions specified by Radius, they hit the "NoAccess" group-policy and get denied access. 

Customers Also Viewed These Support Documents