05-21-2024 05:22 AM
We provide AnyConnect access to our customers; for a customer I must enable MSCHAPv2 authentication, and to do so I need to let this customer use a separate connection profile.
The problem: our setup, which involves Cisco ACS for AAA, forces all of our AnyConnect users to use the DefaultWEBVPNGroup.
How do I force the customer's identity group in ACS to use a specific connection profile on the ASA?
This is what I've added to the authorization policy (note that I tried with and without the OU= prefix), but that didn't work.
The following is the log as result of my changes. Note that CustomerRemoteSC is the connection-profile on which I will enable MSCHAPv2
May 20 05:44:03 <asa-ip-addr> %ASA-6-113004: AAA user authentication Successful : server = ACS-ip-addr : user = marco.lazzarotto
May 20 05:44:03 <asa-ip-addr> %ASA-6-113003: AAA group policy for user marco.lazzarotto is being set to Customer-Any
May 20 05:44:03 <asa-ip-addr> %ASA-6-113011: AAA retrieved user specific group policy (Customer-Any) for user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-6-113004: AAA user authentication Successful : server = <duo-ip-addr> : user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-6-113011: AAA retrieved user specific group policy (Customer-Any) for user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-6-113009: AAA retrieved default group policy (1xxxRestricted) for user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-6-113008: AAA transaction status ACCEPT : user = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["1"]["1"] = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["8"]["1"] = 167971394
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["25"]["1"] = Customer-Any
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["25"]["2"] = CACS:atl-acs/344500076/13930362
May 20 05:05:43 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["4224"]["1"] = CustomerRemoteSC
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.radius["4242"]["1"] = CustomerRemoteSC
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.grouppolicy = Customer-Any
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.class = Customer-Any
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.ipaddress = 10.x.y.66
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.username = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.username1 = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.username2 = marco.lazzarotto
May 20 05:44:09 <asa-ip-addr> %ASA-7-734003: DAP: User marco.lazzarotto, Addr <personal-public-ip>: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
May 20 05:44:09 <asa-ip-addr> %ASA-6-734001: DAP: User marco.lazzarotto, Addr <personal-public-ip>, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
May 20 05:44:09 <asa-ip-addr> %ASA-4-113034: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> User ACL <#ACSACL#-IP-Customer-DACL-5e70fa56> from AAA ignored, AV-PAIR ACL used instead.
May 20 05:44:09 <asa-ip-addr> %ASA-6-113039: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> AnyConnect parent session started.
May 20 05:44:12 <asa-ip-addr> %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolicy <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> No IPv6 address available for SVC connection
May 20 05:44:12 <asa-ip-addr> %ASA-5-109201: UAUTH: Session=0x6faa7000, User=marco.lazzarotto, Assigned IP=10.x.y.66, Succeeded adding entry.
May 20 05:44:12 <asa-ip-addr> %ASA-5-722033: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> First TCP SVC connection established for SVC session.
May 20 05:44:12 <asa-ip-addr> %ASA-6-722022: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> TCP SVC connection established without compression
May 20 05:44:12 <asa-ip-addr> %ASA-7-746012: user-identity: Add IP-User mapping 10.x.y.66 - LOCAL\marco.lazzarotto Succeeded - VPN user
May 20 05:44:12 <asa-ip-addr> %ASA-6-722055: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> Client Type: Cisco AnyConnect VPN Agent for Apple iPhone 5.0.05207
May 20 05:44:12 <asa-ip-addr> %ASA-4-722051: Group <Customer-Any> User <marco.lazzarotto> IP <<personal-public-ip>> IPv4 Address <10.x.y.66> IPv6 address <::> assigned to session
What am I missing?
Solved! Go to Solution.
05-22-2024 07:45 AM
hi as i said earlier the tunnel group cannot be changed by radius... its a bit of catch 22 if you allow that... if you allow that, then we dont what AAA mechanism to use .. some tunnel group can have radius, other could be local... how do we really enforce that... the only way to change tunnel group is for cert auth only based on tunnel group mapping etc... otherwise, the tunnel group is determined based on url or group- alias:
You can use tunnel-group-lock option to make sure users come through tunnel they are authorized to...
the OU is only to assign the group policy..
a couple of other options i suggest:
1) use a different url
2) use same url but create a path.. like vpn.xyz.com/marketing vpn.xyz.com/engineering..
05-21-2024 08:06 PM
The tunnel group that a user came from cannot be changed by radius.. something else is going on.. Can you attach the logs from the beginning of the session. I want to see what is the tunnel group from the beginning.. what version of ASA is ? how are you selecting the tunnelgroup ? tunnel group list with an alias or group-url ? pls show config snip also
05-21-2024 11:54 PM
Can you share config
Thanks
MHM
05-22-2024 06:21 AM
> what version of ASA is ? how are you selecting the tunnelgroup ? tunnel group list with an alias or group-url ?
ASA version 9.14(4)24. ACS version 5.6. I am not selecting the tunnel-group on the ASA, I wanted to select the tunnel-group on the ACS by adding a RADIUS parameter (some say to add Class (code 25) and OU=tunnel-group_name as value). Do you guys think this is achievable without having our user to use a different url?
The default tunnel-group, used by all our customers and employees:
The New-rad is our Cisco ACS
ASA config snippet
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group New-rad
secondary-authentication-server-group DUO-ldaps use-primary-**bleep**e
default-group-policy 1xxxRestricted
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias Default disable
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
Customer tunnel-group I wish to use for the customer
ASA config snippet
tunnel-group CustomerRemoteSC type remote-access
tunnel-group CustomerRemoteSC general-attributes
authentication-server-group New-rad
default-group-policy Customer
tunnel-group CustomerRemoteSC ipsec-attributes
ikev1 pre-shared-key <redacted>
These are the logs from the ASA
05-22-2024 07:45 AM
hi as i said earlier the tunnel group cannot be changed by radius... its a bit of catch 22 if you allow that... if you allow that, then we dont what AAA mechanism to use .. some tunnel group can have radius, other could be local... how do we really enforce that... the only way to change tunnel group is for cert auth only based on tunnel group mapping etc... otherwise, the tunnel group is determined based on url or group- alias:
You can use tunnel-group-lock option to make sure users come through tunnel they are authorized to...
the OU is only to assign the group policy..
a couple of other options i suggest:
1) use a different url
2) use same url but create a path.. like vpn.xyz.com/marketing vpn.xyz.com/engineering..
05-22-2024 09:04 AM
As suggested by @ccieexpert, we cannot change the connection profile (aka tunnel-group) via RADIUS. Group policy change can often accomplish similar objectives though. That is controllable via RADIUS attribute.
05-23-2024 05:22 AM
Thank you very much to you all! I will go with a custom URL for our customer as I think this is the best way to achieve what I need.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide