Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3371
Views
4
Helpful
4
Replies

Group-lock not working with WebVPN and RADIUS authentication

bhenning
Level 1
Level 1

‎05-17-2013 03:02 PM

I'm on an ASA 5510 running 8.2(5)41. I have clientless WebVPN configured to authenticate against an RSA RADIUS server, which has users assigned to RADIUS Class attribute 25 to match the group-lock values assigned to each ASA group-policy. This of course is to ensure users can only access the login page's drop-down VPN profiles they are assigned to by the RADIUS server. I have two other ASA 5510s (same code level) using the same RADIUS server with group-lock enabled but for IPSec remote access VPN's, and the group-lock feature works fine.

WebVPN, however, is authenticating any user to any VPN profile without regard to the RADIUS Class attribute 25 they are assigned. If I

configure the VPN profiles to authenticate locally and assign group-lock to individual ASA user accounts, group-lock works. As soon as I point it back to the RADIUS server, group-lock does nothing.

From the 'debug aaa' below for user 'corpvpnstp', you can see the RADIUS server sends back the attribute 25 values of "ou=stp.Client;" and "ou=stp.ClientDRC;" for this user. The ASA profile this user has attempted to connect to is "EMS-Admin", which should get denied by the ASA. Instead, the ASA successfully authenticates the user.

May 17 2013 13:47:44: %ASA-6-113004: AAA user authentication Successful : server =  192.168.10.26 : user = corpvpnstp

May 17 2013 13:47:44: %ASA-6-113009: AAA retrieved default group policy (EMS-Admins) for user = corpvpnstp

May 17 2013 13:47:44: %ASA-6-113008: AAA transaction status ACCEPT : user = corpvpnstp

May 17 2013 13:47:44: %ASA-7-734003: DAP: User corpvpnstp, Addr 192.168.180.11: Session Attribute aaa.radius["25"]["1"] = SBR2CL............).........................................

May 17 2013 13:47:44: %ASA-7-734003: DAP: User corpvpnstp, Addr 192.168.180.11: Session Attribute aaa.radius["25"]["2"] = ou=stp.Client;

May 17 2013 13:47:44: %ASA-7-734003: DAP: User corpvpnstp, Addr 192.168.180.11: Session Attribute aaa.radius["25"]["3"] = ou=stp.ClientDRC;

May 17 2013 13:47:44: %ASA-7-734003: DAP: User corpvpnstp, Addr 192.168.180.11: Session Attribute aaa.cisco.grouppolicy = EMS-Admins

May 17 2013 13:47:44: %ASA-7-734003: DAP: User corpvpnstp, Addr 192.168.180.11: Session Attribute aaa.cisco.username = corpvpnstp

May 17 2013 13:47:44: %ASA-7-734003: DAP: User corpvpnstp, Addr 192.168.180.11: Session Attribute aaa.cisco.tunnelgroup = EMS-Admins

May 17 2013 13:47:44: %ASA-6-734001: DAP: User corpvpnstp, Addr 192.168.180.11, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy

May 17 2013 13:47:44: %ASA-6-716001: Group <EMS-Admins> User <corpvpnstp> IP <192.168.180.11> WebVPN session started.

May 17 2013 13:47:44: %ASA-6-716038: Group <EMS-Admins> User <corpvpnstp> IP <192.168.180.11> Authentication: successful,

Here's the relevant group-policy and tunnel-group configs for both the EMS-Admins group (which the 'corpvpnstp' user should not be allowed to access) and the "EMS-stp" group-policy with the group-lock value of 'stp.ClientDRC', which the 'corpvpnstp' user is allowed to access.

group-policy EMS-Admins attributes

vpn-tunnel-protocol webvpn

group-lock value EMS-Admins

webvpn

  url-list value BCC_EMS-Admins

  filter value WebACL-EMSAdmins

  customization value EMSAdminCustomization

group-policy EMS-stp internal

group-policy EMS-stp attributes

vpn-tunnel-protocol webvpn

group-lock value stp.ClientDRC

webvpn

  url-list value BCC_EMS-stp

  filter value WebACL-stp

  customization value stpCustomization

tunnel-group EMS-Admins type remote-access

tunnel-group EMS-Admins general-attributes

authentication-server-group RSA-RADIUS LOCAL

default-group-policy EMS-Admins

tunnel-group EMS-Admins webvpn-attributes

customization EMSAdminCustomization

group-alias EMS-Admins enable

tunnel-group stp.ClientDRC type remote-access

tunnel-group stp.ClientDRC general-attributes

authentication-server-group RSA-RADIUS LOCAL

default-group-policy EMS-stp

tunnel-group stp.ClientDRC webvpn-attributes

customization stpCustomization

group-alias EMS-stp enable

Here's a link I found from 2007 with the same type of issue and no resolution unfortunately. I gotta believe this has been resolved by now, but no luck searching Cisco or the web.   

http://compgroups.net/comp.dcom.sys.cisco/asa5520-webvpn-authenticating-to-acs-unab/1222230

Thanks!

Labels:
0 Helpful
4 Replies 4

bhenning
Level 1
Level 1

‎05-23-2013 07:55 AM

Well, I got this to work, but I don't like the method. I had to add local user accounts and configure local attributes with group-lock. For example:

username MyUser password MyPassword

username MyUser attributes

group-lock value stp.ClientDRC

service-type remote-access

webvpn

  customization value MyCustomization

Incidentally, when the user logs in, the authentication is passed to the RADIUS server (so, the locally configured username/password combo does nothing), the RADIUS server then responds with the acceptable group values (Class attribute 25), which is then checked against the group-lock value under the ASA local user attribute.

For a handful of users, this isn't a huge deal, but if you have a large amount of WebVPN users to manage, you'll have to configure local accounts on the ASA in addition to your back-end RADIUS authentication server (or AD, etc.).

0 Helpful

guibarati
Level 4
Level 4
In response to bhenning

‎05-23-2013 08:58 AM

The problem is that you are using DAP (Dynamic Access Policy)

May 17 2013 13:47:44: %ASA-6-734001: DAP: User corpvpnstp, Addr 192.168.180.11, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy

Once you make any change to the dynamic access policy called "DfltAccessPolicy" it will override the "group-policy" configurations if the user matches any attribute set on DAP. If you changed something on DfltAccessPolicy but didn't set any attribute (tellling it what user should use it), I'm gessing all users are using this DAP and it has no group-lock.

you can create DAP to match the specific groups you want. E.g.:

Policy 1 - All users with RADIUS attribute 25 = EMS-Admins

Policy 2 - All users ........

Policy DfltAccessPolicy: Action = Terminate

Rate if it helps

bhenning
Level 1
Level 1
In response to guibarati

‎05-24-2013 06:11 AM

Thanks for offering the help. I hadn't made any changes to the DfltAccessPolicy (all default settings), and same setup was working fine on another ASA for IPSec remote access VPN. Per my last post below, it's working now, with no explanation of why. Strange.

Thanks again!

0 Helpful

bhenning
Level 1
Level 1
In response to bhenning

‎05-23-2013 09:01 AM

As much as I hate fluke issues, this is working now. The debug output from my original post above proved the Class attribute 25 coming back from the RADIUS server was different from the group value configured on the ASA policy, yet the ASA was allowing the user to authenticate. Today, it's working. If the RADIUS server sends back a Class attribute 25 value that is different from the ASA's group-lock value for that WebVPN profile, the ASA successfully denies the connection. No explanation for it, gang. Sorry for all the drama. 

0 Helpful
Customers Also Viewed These Support Documents