cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
260
Views
2
Helpful
6
Replies

Cisco ACS - RADIUS - Specify AnyConnect connection-profile

MarcoLazzarotto
Level 1
Level 1

We provide AnyConnect access to our customers; for a customer I must enable MSCHAPv2 authentication, and to do so I need to let this customer use a separate connection profile.
The problem: our setup, which involves Cisco ACS for AAA, forces all of our AnyConnect users to use the DefaultWEBVPNGroup.

How do I force the customer's identity group in ACS to use a specific connection profile on the ASA?

This is what I've added to the authorization policy (note that I tried with and without the OU= prefix), but that didn't work.

MarcoLazzarotto_1-1716293539188.png

The following is the log as result of my changes. Note that CustomerRemoteSC is the connection-profile on which I will enable MSCHAPv2

 

May 20 05:44:03 <asa-ip-addr> %ASA-6-113004: AAA user authentication Successful : server =  ACS-ip-addr : user = marco.lazzarotto
May 20 05:44:03 <asa-ip-addr> %ASA-6-113003: AAA group policy for user marco.lazzarotto is being set to Customer-Any
May 20 05:44:03 <asa-ip-addr> %ASA-6-113011: AAA retrieved user specific group policy (Customer-Any) for user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-6-113004: AAA user authentication Successful : server =  <duo-ip-addr> : user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-6-113011: AAA retrieved user specific group policy (Customer-Any) for user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-6-113009: AAA retrieved default group policy (1xxxRestricted) for user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-6-113008: AAA transaction status ACCEPT : user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["1"]["1"] = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["8"]["1"] = 167971394
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["25"]["1"] = Customer-Any
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["25"]["2"] = CACS:atl-acs/344500076/13930362
May 20 05:05:43 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["4224"]["1"] = CustomerRemoteSC
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["4242"]["1"] = CustomerRemoteSC
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.grouppolicy = Customer-Any
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.class = Customer-Any
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.ipaddress = 10.x.y.66
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.username = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.username1 = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.username2 = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
May 20 05:44:09 <asa-ip-addr> %ASA-6-734001: DAP: User marco.lazzarotto, Addr <personal-public-ip>, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
May 20 05:44:09 <asa-ip-addr> %ASA-4-113034: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> User ACL <#ACSACL#-IP-Customer-DACL-5e70fa56> from AAA ignored, AV-PAIR ACL used instead.
May 20 05:44:09 <asa-ip-addr> %ASA-6-113039: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> AnyConnect parent session started.
May 20 05:44:12 <asa-ip-addr> %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolicy <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> No IPv6 address available for SVC connection
May 20 05:44:12 <asa-ip-addr> %ASA-5-109201: UAUTH: Session=0x6faa7000, User=marco.lazzarotto, Assigned IP=10.x.y.66, Succeeded adding entry.
May 20 05:44:12 <asa-ip-addr> %ASA-5-722033: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> First TCP SVC connection established for SVC session.
May 20 05:44:12 <asa-ip-addr> %ASA-6-722022: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> TCP SVC connection established without compression
May 20 05:44:12 <asa-ip-addr> %ASA-7-746012: user-identity: Add IP-User mapping 10.x.y.66 - LOCAL\marco.lazzarotto Succeeded - VPN user
May 20 05:44:12 <asa-ip-addr> %ASA-6-722055: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> Client Type: Cisco AnyConnect VPN Agent for Apple iPhone 5.0.05207
May 20 05:44:12 <asa-ip-addr> %ASA-4-722051: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> IPv4 Address <10.x.y.66> IPv6 address <::> assigned to session

 

What am I missing?

1 Accepted Solution

Accepted Solutions

hi as i said earlier the tunnel group cannot be changed by radius... its a bit of  catch 22 if you allow that... if you allow that, then we dont what AAA mechanism to use .. some tunnel group can have radius, other could be local... how do we really enforce that... the only way to change tunnel group is for cert auth only based on tunnel group mapping etc... otherwise, the tunnel group is determined based on url or group- alias:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

You can use tunnel-group-lock option to make sure users come through tunnel they are authorized to...

the OU is only to assign the group policy..

a couple of other options i suggest:

1) use a different url

2) use same url but create a path.. like vpn.xyz.com/marketing  vpn.xyz.com/engineering..

View solution in original post

6 Replies 6

ccieexpert
Level 1
Level 1

The tunnel group that a user came from cannot be changed by radius.. something else is going on.. Can you attach the logs from the beginning of the session. I want to see what is the tunnel group from the beginning.. what version of ASA is ?  how are you selecting the tunnelgroup ? tunnel group list with an alias or group-url ? pls show config snip also

Can you share config 

Thanks 

MHM

MarcoLazzarotto
Level 1
Level 1

@MHM Cisco World @ccieexpert 

> what version of ASA is ?  how are you selecting the tunnelgroup ? tunnel group list with an alias or group-url ?

ASA version 9.14(4)24. ACS version 5.6. I am not selecting the tunnel-group on the ASA, I wanted to select the tunnel-group on the ACS by adding a RADIUS parameter (some say to add Class (code 25) and OU=tunnel-group_name as value). Do you guys think this is achievable without having our user to use a different url?

 

The default tunnel-group, used by all our customers and employees:

The New-rad is our Cisco ACS

MarcoLazzarotto_0-1716380549259.png

ASA config snippet

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group New-rad
 secondary-authentication-server-group DUO-ldaps use-primary-**bleep**e
 default-group-policy 1xxxRestricted
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias Default disable
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 30 retry 2

Customer tunnel-group I wish to use for the customer

MarcoLazzarotto_1-1716380748819.png

ASA config snippet

tunnel-group CustomerRemoteSC type remote-access
tunnel-group CustomerRemoteSC general-attributes
 authentication-server-group New-rad
 default-group-policy Customer
tunnel-group CustomerRemoteSC ipsec-attributes
 ikev1 pre-shared-key <redacted>

These are the logs from the ASA

Spoiler
May 20 05:05:06 10.x.y.3 %ASA-4-722037: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC closing connection: Transport closing.
May 20 05:05:06 10.x.y.3 %ASA-5-722012: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC Message: 16/NOTICE: The user has requested to disconnect the connection..
May 20 05:05:06 10.x.y.3 %ASA-5-109210: UAUTH: Session=0x6f834000, User=marco.lazzarotto, Assigned IP=10.x.y.66, Succeeded removing entry.
May 20 05:05:06 10.x.y.3 %ASA-6-716002: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> WebVPN session terminated: User Requested.
May 20 05:05:06 10.x.y.3 %ASA-7-746013: user-identity: Delete IP-User mapping 10.x.y.66 - LOCAL\marco.lazzarotto Succeeded - VPN user logout
May 20 05:05:06 10.x.y.3 %ASA-4-113019: Group = DefaultWEBVPNGroup, **bleep**e = marco.lazzarotto, IP = 93.a.b.116, Session disconnected. Session Type: SSL, Duration: 0h:02m:21s, Bytes xmt: 4820, Bytes rcv: 10046, Reason: User Requested
May 20 05:05:06 10.x.y.3 %ASA-6-722023: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> TCP SVC connection terminated without compression
May 20 05:05:06 10.x.y.3 %ASA-7-722029: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC Session Termination: Conns: 2, DPD Conns: 0, Comp resets: 0, Dcmp resets: 0.
May 20 05:05:06 10.x.y.3 %ASA-7-722030: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC Session Termination: In: 10046 (+7757) bytes, 126 (+23) packets, 0 drops.
May 20 05:05:06 10.x.y.3 %ASA-7-722031: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC Session Termination: Out: 2410 (+7680) bytes, 1 (+20) packets, 0 drops.
May 20 05:05:38 10.x.y.3 %ASA-6-113004: AAA user authentication Successful : server = 10.2.250.20 : user = marco.lazzarotto
May 20 05:05:43 10.x.y.3 %ASA-6-113004: AAA user authentication Successful : server = 3.145.240.103 : user = marco.lazzarotto
May 20 05:05:43 10.x.y.3 %ASA-6-113009: AAA retrieved default group policy (1FooRestricted) for user = marco.lazzarotto
May 20 05:05:43 10.x.y.3 %ASA-6-113008: AAA transaction status ACCEPT : user = marco.lazzarotto
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.radius["1"]["1"] = marco.lazzarotto
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.radius["8"]["1"] = 167971394
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.radius["25"]["1"] = OU=ContosoRemoteSC
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.radius["25"]["2"] = CACS:atl-acs/344500076/13929817
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.radius["4224"]["1"] = OU=ContosoRemoteSC
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.radius["4242"]["1"] = OU=ContosoRemoteSC
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.cisco.grouppolicy = 1FooRestricted
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.cisco.ipaddress = 10.x.y.66
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.cisco.**bleep**e = marco.lazzarotto
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.cisco.**bleep**e1 = marco.lazzarotto
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.cisco.**bleep**e2 = marco.lazzarotto
May 20 05:05:43 10.x.y.3 %ASA-7-734003: DAP: User marco.lazzarotto, Addr 93.a.b.116: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
May 20 05:05:43 10.x.y.3 %ASA-6-734001: DAP: User marco.lazzarotto, Addr 93.a.b.116, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
May 20 05:05:43 10.x.y.3 %ASA-4-113034: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> User ACL <#ACSACL#-IP-Contoso-DACL-5e70fa56> from AAA ignored, AV-PAIR ACL used instead.
May 20 05:05:43 10.x.y.3 %ASA-6-113039: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> AnyConnect parent session started.
May 20 05:05:51 10.x.y.3 %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolicy <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> No IPv6 **bleep** available for SVC connection
May 20 05:05:51 10.x.y.3 %ASA-5-109201: UAUTH: Session=0x6f860000, User=marco.lazzarotto, Assigned IP=10.x.y.66, Succeeded adding entry.
May 20 05:05:51 10.x.y.3 %ASA-5-722033: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> First TCP SVC connection established for SVC session.
May 20 05:05:51 10.x.y.3 %ASA-6-722022: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> TCP SVC connection established without compression
May 20 05:05:51 10.x.y.3 %ASA-7-746012: user-identity: Add IP-User mapping 10.x.y.66 - LOCAL\marco.lazzarotto Succeeded - VPN user
May 20 05:05:51 10.x.y.3 %ASA-6-722055: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> Client Type: Cisco AnyConnect VPN Agent for Apple iPhone 5.0.05207
May 20 05:05:51 10.x.y.3 %ASA-4-722051: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> IPv4 **bleep** <10.x.y.66> IPv6 **bleep** <::> assigned to session
May 20 05:05:52 10.x.y.3 %ASA-5-722033: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> First UDP SVC connection established for SVC session.
May 20 05:05:52 10.x.y.3 %ASA-6-722022: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> UDP SVC connection established without compression
May 20 05:09:49 10.x.y.3 %ASA-4-722037: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC closing connection: Transport closing.
May 20 05:09:49 10.x.y.3 %ASA-6-722023: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> UDP SVC connection terminated without compression
May 20 05:09:49 10.x.y.3 %ASA-6-722023: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> TCP SVC connection terminated without compression
May 20 05:09:49 10.x.y.3 %ASA-7-722029: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC Session Termination: Conns: 2, DPD Conns: 0, Comp resets: 0, Dcmp resets: 0.
May 20 05:09:49 10.x.y.3 %ASA-7-722030: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC Session Termination: In: 36322 (+7765) bytes, 469 (+24) packets, 0 drops.
May 20 05:09:49 10.x.y.3 %ASA-7-722031: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC Session Termination: Out: 2410 (+7704) bytes, 1 (+23) packets, 0 drops.
May 20 05:09:49 10.x.y.3 %ASA-5-722012: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> SVC Message: 16/NOTICE: The user has requested to disconnect the connection..
May 20 05:09:49 10.x.y.3 %ASA-5-109210: UAUTH: Session=0x6f860000, User=marco.lazzarotto, Assigned IP=10.x.y.66, Succeeded removing entry.
May 20 05:09:49 10.x.y.3 %ASA-6-716002: Group <1FooRestricted> User <marco.lazzarotto> IP <93.a.b.116> WebVPN session terminated: User Requested.
May 20 05:09:49 10.x.y.3 %ASA-7-746013: user-identity: Delete IP-User mapping 10.x.y.66 - LOCAL\marco.lazzarotto Succeeded - VPN user logout
May 20 05:09:49 10.x.y.3 %ASA-4-113019: Group = DefaultWEBVPNGroup, **bleep**e = marco.lazzarotto, IP = 93.a.b.116, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:04m:12s, Bytes xmt: 4820, Bytes rcv: 36322, Reason: User Requested

hi as i said earlier the tunnel group cannot be changed by radius... its a bit of  catch 22 if you allow that... if you allow that, then we dont what AAA mechanism to use .. some tunnel group can have radius, other could be local... how do we really enforce that... the only way to change tunnel group is for cert auth only based on tunnel group mapping etc... otherwise, the tunnel group is determined based on url or group- alias:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

You can use tunnel-group-lock option to make sure users come through tunnel they are authorized to...

the OU is only to assign the group policy..

a couple of other options i suggest:

1) use a different url

2) use same url but create a path.. like vpn.xyz.com/marketing  vpn.xyz.com/engineering..

Marvin Rhoads
Hall of Fame
Hall of Fame

As suggested by @ccieexpert, we cannot change the connection profile (aka tunnel-group) via RADIUS. Group policy change can often accomplish similar objectives though. That is controllable via RADIUS attribute.

MarcoLazzarotto
Level 1
Level 1

Thank you very much to you all! I will go with a custom URL for our customer as I think this is the best way to achieve what I need.