Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1543
Views
0
Helpful
4
Replies

Restrict Active Directory group to a VPN tunnel group thru RADIUS

mellowgb59
Level 1
Level 1

‎12-10-2007 11:30 AM - edited ‎02-21-2020 03:25 PM

Hello,

I have seen a few similar conversations similar to this one; but none are answering my question:

I am using IAS as my RADIUS server in an Active Directory environment. I want to restrict a user to a particular Tunnel Group. I know that I must configure a class 25 attribute in the RADIUS server OU=GROUPNAME. In my case I have a sub-set of users who should be restricted to this tunnel and not our general use tunnel. How do I associate the AD users to the class attribute (and tunnel that I want to restrict the user to)? Do I create an AD GROUP? If so, how do I associate that AD group to the VPN tunnel-group that I want these users to be restricted to?

Labels:
0 Helpful
4 Replies 4

Jason Gervia
Cisco Employee
Cisco Employee

‎12-10-2007 05:52 PM

Mellow,

The radius class attribute (25) maps users to group policies, not tunnel-groups/connection profiles.

So you could have everyone come in on the same tunnel-group/connection profile, but then depending on the group in your radius server, end up with different group policies depending on what class attribute you send.

I'm not sure of the AD/IAS configuration off the top of my head, but here's a link on configuring the IAS to work with the ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

7.x - but in 8.x the same principles apply.

0 Helpful

mellowgb59
Level 1
Level 1
In response to Jason Gervia

‎12-13-2007 05:40 PM

I want users from a certain AD group to be assigned a certain VPN policy. The question that I am asking:

How do you tie the AD group that the users are in to the group policy that you want applied?

0 Helpful

ggittins
Level 1
Level 1
In response to mellowgb59

‎12-14-2007 11:45 AM

have you gotten an answer to this question?

i have the same requierments...

0 Helpful

aliaslab
Level 1
Level 1

‎12-15-2007 08:50 AM

Hello,

first you need to create in AD a Security Group (a Global Security Group would be ok), naming it the way you like (let's say i.e. 'Sales'), and make the AD users of your 'sub-set' members of this Group.

After that you need to create in IAS a Remote Access Policy whose policy conditions contain 'Windows-Groups'='Sales' (selecting the new Group by simply browsing your AD).

Then set for THAT IAS POLICY the CLASS 25 attribute equal to the VPN Server Group Policy (equal to Tunnel Group if you have a VPN3000) you want those users to be locked in.

Basically, this way IAS will return to the VPN server the proper class attribute by telling which AD Security Group a (authenticated) user belongs to.

0 Helpful
Customers Also Viewed These Support Documents