Cisco ASA remote access tunnel group RADIUS question

Posted on 2007-04-04
Medium Priority
Last Modified: 2012-08-14
I am setting up certificate based authentication on a Cisco ASA 5520 for remote access vpn.  I am using Microsoft RADIUS on the inside interface to do the auth.  The difficulty I am having is selecting the proper tunnel group for each user.  I would like to be able to select the tunnel group based on an AD group.  I am looking into setting up certificate group matching rules but am not sure if there is a better way.  With certificate group matching rules I think I would have to setup a rule for each individual user name.  I want to avoid this if possible.   Is there a radius attribute or something that will select the tunnel group on the ASA based on the RADIUS policies and AD group?  Thank you.
Question by:AlphaTechnologies
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Expert Comment

ID: 18861326
Why do you want to set up the tunnel groups based on AD groups?
What are you trying to accomplish with that?

Author Comment

ID: 18861579
I am trying to setup individual subnets \ vlans for different groups of users that need remote access to my network.  The idea being that when a user connects the RADIUS server places the user in a vlan based on policy attributes and the tunnel group on the ASA assigns the appropriate dhcp subnet, dns, etc.  This way I can isolate users based on their vlan and subnet.  
This is the method that I am using now.  The only problem is that I have to add a new certificate group matching rule on the ASA so that the user will be assigned the appropriate tunnel group and I also have to add the user to an AD group so that the user will be assigned the appropriate RADIUS policy.  I would much rather be able to somehow accomplish both tasks based on the user AD group alone.

Expert Comment

ID: 18861700
Hello AlphaTechnologies,

I hope I am answering you correctly - so here is what we have done. My concern has been that people will try to log in with the wrong tunnel-group and as such are given access to resources they should not be. So what I am about to write about will only allow check to make sure they have got the right one. If they do not then they get given the defualt tunnel-group which has a deny ip any any in it that blocks them completely from accesing anything.

Firs tthe thing that I struggled with, the MS IAS Server (RADIUS). I am assuming you know how to set this up in a basic way. Here go into "Remote Access Policies" and you will now have to create a new policy for each VPN Group. Within this Policy enter a new Policy condition where it has to match your Windows (AD) group. So that this policy only gets applied if that user belongs to that specific group. Obviously if a user belongs to 2 groups the first policy in the list will be applied.

Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"
where "Tunnel-group-name" is the tunnel-group you want to apply in the Cisco ASA.

That is your Windows side done. Obviously you need to configure your ASA to talk to your IAS Server and have the shared secret worked out - but I am assuming you have this already in place.

On your Cisco Pix side you can then enter:

group-policy MyPolicy internal
group-policy MyPolicy attributes
 vpn-simultaneous-logins 2
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter value ACL_Tunnel-group-name
 group-lock value Tunnel-group-name
 default-domain value my.domain.int

that group-lock value is what we are after here this is the name of an existing tunnel-group that the users are required to connect with. This way you are safeguarding yourself on the Cisco ASA that users have entered the correctt tunnel-group on their VPN Client and have been given the right tunnel-group from the IAS Server.

I do not know a way of overriding the settings on the Cisco VPN client - and I am not even sure if this is possible. However this is what we have - and it seems to work (whenever I do an audit it seems to work).

Please let me know if this helped you or if there is a better (easier?) way of tdoing this - I would be glad to hear about it.
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!


Author Comment

ID: 18865036
First, thank you for your response Harsem.  I certainly appreciate the effort.  Unfortunately it didn't work for me.

<quote>"Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"

In my testing this had no effect on the tunnel group that the user received from the ASA.  I think this is possibly because I am using certificate based authentication and I believe you were testing with shared keys.  The certificate includes a designation for OU which typically corresponds to the vpn group.  The only way to avoid the group being assigned by the OU (that I am aware of) is to create a certificate group matching rule.  The group lock is something that I am already doing.
Thanks again for your reponse.


Expert Comment

ID: 18867994
Hello AlphaTechnologies,

yup you are right - I am using shared keys.

I hope someone else can help you further along.

Author Comment

ID: 19012150
I finally found out from Cisco TAC that they are going to implement this option in ASA software release 8.0 code via LDAP attribute mapping.

Accepted Solution

Computer101 earned 0 total points
ID: 19251490
PAQed with points refunded (500)

EE Admin

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question