RE: VPN Restriction in ASA OS 8.22

AAA attributes will take precedence over the locally configured
attributes on ASA. So, the user will get the group-policy from the
Radius server, and not from ASA.

Regards,
 
Kanishka Acharya

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Monday, July 05, 2010 3:15 PM
To: Kanishka Acharya (kaachary)
Cc: Edouard Zorrilla; Farrukh Haroon; security_at_groupstudy.com; Cisco
certification
Subject: Re: VPN Restriction in ASA OS 8.22

Kanishka & Farukh

Just a quick question here:

If I configured a local group-lock command in the group-policy
configuration and also configure the RADIUS attribute 25 (class) to have
different values.
Which one would take precedence in this situation?

Would the RADIUS attribute overide the local one? Maybe I just need to
lab this one up and see for myself!

Thanks,

On Sun, Mar 21, 2010 at 7:41 AM, Kanishka Acharya (kaachary) <
kaachary_at_cisco.com> wrote:

> Binding a group-policy means : Irrespective of which tunnel-group the
> user uses to connect, he will use the group-policy thats pushed via
> radius. This doesnt restrict user to use only one tunnel-group. For
> that purpose, you need to use VSA 85 (Tunnel-Group-Lock) as I
> mentioned earlier.
>
> This can also be done using LDAP attribute-map based an AD Group
> membership.
> The config will look something like :
>
> ciscoasa(config)#ldap attribute-map CISCOMAP
> ciscoasa(config-ldap-attribute-map)#map-name memberOf
> Tunnel-Group-Lock ciscoasa(config-ldap-attribute-map)#map-value
> memberOf CN=Employees,CN=Users,
> DC=ftwsecurity,DC=cisco,DC=com <TunnelGroupName>
>
>
>
>
> ________________________________
>
> From: nobody_at_groupstudy.com on behalf of Edouard Zorrilla
> Sent: Sat 3/20/2010 10:32 AM
> To: Kanishka Acharya (kaachary); Farrukh Haroon
> Cc: security_at_groupstudy.com; Cisco certification
> Subject: Re: VPN Restriction in ASA OS 8.22
>
>
>
> Re: VPN Restriction in ASA OS 8.22Hello Kanishka,
>
> Which one the difference between group-lock and bind a group-policy to

> the user ?
>
> Thanks,
>
> Regards
>
> ----- Original Message -----
> From: Kanishka Acharya (kaachary)
> To: Farrukh Haroon ; Edouard Zorrilla
> Cc: security_at_groupstudy.com ; Cisco certification
> Sent: Friday, March 19, 2010 4:59 PM
> Subject: RE: VPN Restriction in ASA OS 8.22
>
>
> Actually on ASA, Radius Class [25] is no longer used for group-lock,
> but to bind a group-policy to the user. You need to use cvpn
> 3000/PIX/ASA VSA 85
> (Tunnel-Group-Lock) for this purpose. Alternatively, you can use the
> Group-lock attribute in group-policy for this.
>
>
>
> ----------------------------------------------------------------------
> -------
> -
> From: nobody_at_groupstudy.com on behalf of Farrukh Haroon
> Sent: Sat 3/20/2010 2:21 AM
> To: Edouard Zorrilla
> Cc: security_at_groupstudy.com; Cisco certification
> Subject: Re: VPN Restriction in ASA OS 8.22
>
>
> Do you want to restrict a group to a single user only?
>
> Or you want to make sure that a particular user 'x' can only login to

> a particular group 'gx'?
>
> Have u seen the group-lock command and the Radius Attribute 25
(Class)?
>
> Regards
>
> Farrukh
>
> On Fri, Mar 19, 2010 at 11:45 PM, Edouard Zorrilla
> <ezorrilla_at_tsf.com.pe>wrote:
>
> > Hi Team,
> >
> > Is there a way I can make something inside the ASA so that one user

> just > can > log in to a single group :
> >
> > group-policy CISCO-ENG internal
> > group-policy CISCO-ENG attributes
> > vpn-simultaneous-logins 1
> > vpn-idle-timeout 30
> > vpn-session-timeout 120
> > ipsec-udp enable
> > split-tunnel-policy tunnelall
> > default-domain value dfg.com
> > secure-unit-authentication enable
> > user-authentication enable
> > user-authentication-idle-timeout 10 > address-pools value
> POOCISCO-ENG > !
> > tunnel-group CISCO-ENG type remote-access > tunnel-group CISCO-ENG

> general-attributes > authentication-server-group RADIUS >
> authentication-server-group (outside) RADIUS >
> accounting-server-group RADIUS > default-group-policy RAS_test >
> tunnel-group CISCO-ENG ipsec-attributes > pre-shared-key ***** > !
> >
> > Right now any user can log in to any group, this is not wat I want.
> >
> > Thanks
> >
> > Regards
> >
> >
> > Blogs and organic groups at http://www.ccie.net
<http://www.ccie.net/>
> >
> >
> ______________________________________________________________________
> _ > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
Received on Tue Jul 06 2010 - 10:54:01 ART