Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Cisco ASA remote access tunnel group RADIUS question

Posted on 2007-04-04
Medium Priority
Last Modified: 2012-08-14
I am setting up certificate based authentication on a Cisco ASA 5520 for remote access vpn.  I am using Microsoft RADIUS on the inside interface to do the auth.  The difficulty I am having is selecting the proper tunnel group for each user.  I would like to be able to select the tunnel group based on an AD group.  I am looking into setting up certificate group matching rules but am not sure if there is a better way.  With certificate group matching rules I think I would have to setup a rule for each individual user name.  I want to avoid this if possible.   Is there a radius attribute or something that will select the tunnel group on the ASA based on the RADIUS policies and AD group?  Thank you.
Question by:AlphaTechnologies
LVL 16

Expert Comment

ID: 18861326
Why do you want to set up the tunnel groups based on AD groups?
What are you trying to accomplish with that?

Author Comment

ID: 18861579
I am trying to setup individual subnets \ vlans for different groups of users that need remote access to my network.  The idea being that when a user connects the RADIUS server places the user in a vlan based on policy attributes and the tunnel group on the ASA assigns the appropriate dhcp subnet, dns, etc.  This way I can isolate users based on their vlan and subnet.  
This is the method that I am using now.  The only problem is that I have to add a new certificate group matching rule on the ASA so that the user will be assigned the appropriate tunnel group and I also have to add the user to an AD group so that the user will be assigned the appropriate RADIUS policy.  I would much rather be able to somehow accomplish both tasks based on the user AD group alone.

Expert Comment

ID: 18861700
Hello AlphaTechnologies,

I hope I am answering you correctly - so here is what we have done. My concern has been that people will try to log in with the wrong tunnel-group and as such are given access to resources they should not be. So what I am about to write about will only allow check to make sure they have got the right one. If they do not then they get given the defualt tunnel-group which has a deny ip any any in it that blocks them completely from accesing anything.

Firs tthe thing that I struggled with, the MS IAS Server (RADIUS). I am assuming you know how to set this up in a basic way. Here go into "Remote Access Policies" and you will now have to create a new policy for each VPN Group. Within this Policy enter a new Policy condition where it has to match your Windows (AD) group. So that this policy only gets applied if that user belongs to that specific group. Obviously if a user belongs to 2 groups the first policy in the list will be applied.

Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"
where "Tunnel-group-name" is the tunnel-group you want to apply in the Cisco ASA.

That is your Windows side done. Obviously you need to configure your ASA to talk to your IAS Server and have the shared secret worked out - but I am assuming you have this already in place.

On your Cisco Pix side you can then enter:

group-policy MyPolicy internal
group-policy MyPolicy attributes
 vpn-simultaneous-logins 2
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter value ACL_Tunnel-group-name
 group-lock value Tunnel-group-name
 default-domain value my.domain.int

that group-lock value is what we are after here this is the name of an existing tunnel-group that the users are required to connect with. This way you are safeguarding yourself on the Cisco ASA that users have entered the correctt tunnel-group on their VPN Client and have been given the right tunnel-group from the IAS Server.

I do not know a way of overriding the settings on the Cisco VPN client - and I am not even sure if this is possible. However this is what we have - and it seems to work (whenever I do an audit it seems to work).

Please let me know if this helped you or if there is a better (easier?) way of tdoing this - I would be glad to hear about it.
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments


Author Comment

ID: 18865036
First, thank you for your response Harsem.  I certainly appreciate the effort.  Unfortunately it didn't work for me.

<quote>"Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"

In my testing this had no effect on the tunnel group that the user received from the ASA.  I think this is possibly because I am using certificate based authentication and I believe you were testing with shared keys.  The certificate includes a designation for OU which typically corresponds to the vpn group.  The only way to avoid the group being assigned by the OU (that I am aware of) is to create a certificate group matching rule.  The group lock is something that I am already doing.
Thanks again for your reponse.


Expert Comment

ID: 18867994
Hello AlphaTechnologies,

yup you are right - I am using shared keys.

I hope someone else can help you further along.

Author Comment

ID: 19012150
I finally found out from Cisco TAC that they are going to implement this option in ASA software release 8.0 code via LDAP attribute mapping.

Accepted Solution

Computer101 earned 0 total points
ID: 19251490
PAQed with points refunded (500)

EE Admin

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question