RE: VPN Restriction in ASA OS 8.22 from Kanishka Acharya (kaachary) on 2010-03-19 (Ccielab archives 03/2010)

From: Kanishka Acharya (kaachary) <kaachary_at_cisco.com>
Date: Sat, 20 Mar 2010 05:29:37 +0530

Actually on ASA, Radius Class [25] is no longer used for group-lock, but to
bind a group-policy to the user. You need to use cvpn 3000/PIX/ASA VSA 85
(Tunnel-Group-Lock) for this purpose. Alternatively, you can use the
Group-lock attribute in group-policy for this.

________________________________

From: nobody_at_groupstudy.com on behalf of Farrukh Haroon
Sent: Sat 3/20/2010 2:21 AM
To: Edouard Zorrilla
Cc: security_at_groupstudy.com; Cisco certification
Subject: Re: VPN Restriction in ASA OS 8.22

Do you want to restrict a group to a single user only?

Or you want to make sure that a particular user 'x' can only login to a
particular group 'gx'?

Have u seen the group-lock command and the Radius Attribute 25 (Class)?

Regards

Farrukh

On Fri, Mar 19, 2010 at 11:45 PM, Edouard Zorrilla
<ezorrilla_at_tsf.com.pe>wrote:

> Hi Team,
>
> Is there a way I can make something inside the ASA so that one user just
> can
> log in to a single group :
>
> group-policy CISCO-ENG internal
> group-policy CISCO-ENG attributes
> vpn-simultaneous-logins 1
> vpn-idle-timeout 30
> vpn-session-timeout 120
> ipsec-udp enable
> split-tunnel-policy tunnelall
> default-domain value dfg.com
> secure-unit-authentication enable
> user-authentication enable
> user-authentication-idle-timeout 10
> address-pools value POOCISCO-ENG
> !
> tunnel-group CISCO-ENG type remote-access
> tunnel-group CISCO-ENG general-attributes
> authentication-server-group RADIUS
> authentication-server-group (outside) RADIUS
> accounting-server-group RADIUS
> default-group-policy RAS_test
> tunnel-group CISCO-ENG ipsec-attributes
> pre-shared-key *****
> !
>
> Right now any user can log in to any group, this is not wat I want.
>
> Thanks
>
> Regards
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Mar 20 2010 - 05:29:37 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:35 ART