cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2175
Views
0
Helpful
1
Replies

need help with vpn, freeradius and dap policies

james.randolph
Level 1
Level 1

Hi,

We have an ASA 5505 and its configured to use a Freeradius server that  authenticates against openLDAP. I'm trying to configure Dynamic Access  Policies to restrict access based upon what group a user belongs to.  In  LDAP I have an attribute called vpnaccess with values "systems" and  "common".   I've created an LDAP Attribute Map mapping the  vpnaccess to `Cisco IETF-Radius-Class', mapped the two attribute values   to Cisco Attribute Values. I think this is where I get hung up.  I  created a DAP policy with a AAA Attribute: Radius.25 = vpnAccess. When I  connect it doesn't select my DAP policy but falls through and  selects  the DflltAccessPolicy which I have configured to terminate the  connection.

In ASDM under DAP I run Test Dynamic Access Policies...

it selects the correct DAP policy "CiscoMapPolicy", but when I use a client it runs the DfltAccessPolicy.

LUA session data tables:

------------------------

endpoint.application.clienttype    =    AnyConnect

aaa.radius.25    =    vpnAccess

aaa.radius.1    =    vpnAccess

aaa.radius.4242    =    vpnAccess

aaa.cisco.username    =    user-name

aaa.cisco.tunnelgroup    =    TGIVPN

aaa.ldap.memberOf    =    systems

aaa.ldap.vpnAccess    =    systems

Selected DAP records

--------------------

CiscoMapPolicy

The DAP policy contains the following attributes for user:

--------------------------------------------------------------------------

1: action = continue

Any ideas where I've gone wrong or can you point me in the right direction?

Thanks in advance.

Clients: SSL/AnyConnect

ASDM: 6.2

ASA: 8.2(1)

1 Reply 1

Lee Valentin
Level 1
Level 1

You can use the group lock command.

There's a post that describes how to configure. https://supportforums.cisco.com/docs/DOC-1746

I also write about implementing it http://ccsplab.ning.com/profiles/blogs/tunnel-group-lock-and-ldap