Re: VPN Restriction in ASA OS 8.22

Hi Faroukh/Kanishka,

I tried to achieve the group-lock feacture and unfortunately it didnt work
for me. Here is my requirement in breif again;

I have two tunnel-groups, one need to authenticate from AD (mapped with ACS
group Corperate) and other need only to authenticate from local ACS users
(ACS group Netadmin).

Following was in my ASA config:

group-policy VPNALL internal
group-policy VPNALL attributes
 dns-server value 10.13.xx.xx 10.13.xx.xx
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelall
 split-tunnel-network-list value CORP-SPLIT
 default-domain value xxxx.com
!
group-policy Admin_policy internal
group-policy Admin_policy attributes
 dns-server value 10.13.xx.xx 10.13.xxx.xx
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelall
 split-tunnel-network-list value IT-SPLIT
 default-domain value xxxx.com
 *group-lock value ITAdmin*
!
tunnel-group corpvpn type remote-access
tunnel-group corpvpn general-attributes
 address-pool corpVPNPOOL
 authentication-server-group RAVPN LOCAL
 default-group-policy VPNALL
tunnel-group corpvpn ipsec-attributes
 pre-shared-key xxx
!
tunnel-group ITAdmin type remote-access
tunnel-group ITAdmin general-attributes
 address-pool ITPOOL
 default-group-policy Admin_policy
tunnel-group ITAdmin ipsec-attributes
 pre-shared-key *

In ACS Admin group I have add the IETF RADIUS value 25 as "OU=Admin_policy;"

So when I tried to connect Admin VPN it works for both AD users as well as
ACS local users.??

Later on I did configure RADIUS value in ACS Corp groups (where AD group
mapped) but still the same and again I did add the group-lock on
group-policy of Corp in ACS and still no luck?.

Can you please advise me where I made mistakes?.

Thanks again..

On Mon, Jul 5, 2010 at 1:33 PM, Pemasiri Devanarayana <pemasiri_at_gmail.com>wrote:

> Hi Farrrukh,
>
> thanks for your reply.. will check this out and let you if any issue :)
>
>
> On Mon, Jul 5, 2010 at 10:16 AM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:
>
>> You can enforce the group-lock functionality using the Radius Attribute
>> #25
>> (Class), please see the following link:
>>
>>
>> https://supportforums.cisco.com/docs/DOC-1746;jsessionid=98982B69447868A837FED27346CCAEAF.node0
>>
>> For LDAP, have a look at this link:
>>
>>
>> http://cisco.biz/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
>>
>> Regards
>>
>> Farrukh
>>
>> On Sat, Mar 20, 2010 at 4:47 PM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>> > Yes. You would bind via LDAP to your DC. Then you can match on LDAP
>> > attributes in AD to land users into specific groups. If you use time-
>> > ranges, users who do not map properly can map to the default group
>> > with no access hours.
>> >
>> > Sent from handheld.
>> >
>> > On Mar 20, 2010, at 1:39 AM, "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
>> > wrote:
>> >
>> > > My Topology is :
>> > >
>> > > ASA -----to---- ACS ----to----- Windows-DomainControler.
>> > >
>> > > Can I do that with DC the same way you say it can be done with LDAP ?
>> > >
>> > > Regards
>> > >
>> > > ----- Original Message ----- From: "Ryan West" <rwest_at_zyedge.com>
>> > > To: "Kanishka Acharya (kaachary)" <kaachary_at_cisco.com>; "Farrukh
>> > > Haroon" <farrukhharoon_at_gmail.com>; "Edouard Zorrilla" <
>> > ezorrilla_at_tsf.com.pe
>> > > >
>> > > Cc: <security_at_groupstudy.com>; "Cisco certification" <
>> > ccielab_at_groupstudy.com
>> > > >
>> > > Sent: Friday, March 19, 2010 7:54 PM
>> > > Subject: RE: VPN Restriction in ASA OS 8.22
>> > >
>> > >
>> > >>> -----Original Message-----
>> > >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>> > >>> Behalf Of
>> > >>> Kanishka Acharya (kaachary)
>> > >>> Sent: Friday, March 19, 2010 8:00 PM
>> > >>> To: Farrukh Haroon; Edouard Zorrilla
>> > >>> Cc: security_at_groupstudy.com; Cisco certification
>> > >>> Subject: RE: VPN Restriction in ASA OS 8.22
>> > >>>
>> > >>> Actually on ASA, Radius Class [25] is no longer used for group-
>> > >>> lock, but to
>> > >>> bind a group-policy to the user. You need to use cvpn 3000/PIX/ASA
>> > >>> VSA 85
>> > >>> (Tunnel-Group-Lock) for this purpose. Alternatively, you can use the
>> > >>> Group-lock attribute in group-policy for this.
>> > >>>
>> > >>
>> > >> Wouldn't an LDAP authorization do the same?
>> > >>
>> > >> -ryan
>> > >>
>> > >>
>> > >> Blogs and organic groups at http://www.ccie.net
>> > >>
>> > >>
>> _______________________________________________________________________
>> >
>> >
>> > >> Subscription information may be found at:
>> > >> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 09 2010 - 11:53:31 ART