Cisco ASA remote access tunnel group RADIUS question

Posted on 2007-04-04
Last Modified: 2012-08-14
I am setting up certificate based authentication on a Cisco ASA 5520 for remote access vpn.  I am using Microsoft RADIUS on the inside interface to do the auth.  The difficulty I am having is selecting the proper tunnel group for each user.  I would like to be able to select the tunnel group based on an AD group.  I am looking into setting up certificate group matching rules but am not sure if there is a better way.  With certificate group matching rules I think I would have to setup a rule for each individual user name.  I want to avoid this if possible.   Is there a radius attribute or something that will select the tunnel group on the ASA based on the RADIUS policies and AD group?  Thank you.
Question by:AlphaTechnologies
LVL 16

Expert Comment

ID: 18861326
Why do you want to set up the tunnel groups based on AD groups?
What are you trying to accomplish with that?

Author Comment

ID: 18861579
I am trying to setup individual subnets \ vlans for different groups of users that need remote access to my network.  The idea being that when a user connects the RADIUS server places the user in a vlan based on policy attributes and the tunnel group on the ASA assigns the appropriate dhcp subnet, dns, etc.  This way I can isolate users based on their vlan and subnet.  
This is the method that I am using now.  The only problem is that I have to add a new certificate group matching rule on the ASA so that the user will be assigned the appropriate tunnel group and I also have to add the user to an AD group so that the user will be assigned the appropriate RADIUS policy.  I would much rather be able to somehow accomplish both tasks based on the user AD group alone.

Expert Comment

ID: 18861700
Hello AlphaTechnologies,

I hope I am answering you correctly - so here is what we have done. My concern has been that people will try to log in with the wrong tunnel-group and as such are given access to resources they should not be. So what I am about to write about will only allow check to make sure they have got the right one. If they do not then they get given the defualt tunnel-group which has a deny ip any any in it that blocks them completely from accesing anything.

Firs tthe thing that I struggled with, the MS IAS Server (RADIUS). I am assuming you know how to set this up in a basic way. Here go into "Remote Access Policies" and you will now have to create a new policy for each VPN Group. Within this Policy enter a new Policy condition where it has to match your Windows (AD) group. So that this policy only gets applied if that user belongs to that specific group. Obviously if a user belongs to 2 groups the first policy in the list will be applied.

Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"
where "Tunnel-group-name" is the tunnel-group you want to apply in the Cisco ASA.

That is your Windows side done. Obviously you need to configure your ASA to talk to your IAS Server and have the shared secret worked out - but I am assuming you have this already in place.

On your Cisco Pix side you can then enter:

group-policy MyPolicy internal
group-policy MyPolicy attributes
 vpn-simultaneous-logins 2
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter value ACL_Tunnel-group-name
 group-lock value Tunnel-group-name
 default-domain value

that group-lock value is what we are after here this is the name of an existing tunnel-group that the users are required to connect with. This way you are safeguarding yourself on the Cisco ASA that users have entered the correctt tunnel-group on their VPN Client and have been given the right tunnel-group from the IAS Server.

I do not know a way of overriding the settings on the Cisco VPN client - and I am not even sure if this is possible. However this is what we have - and it seems to work (whenever I do an audit it seems to work).

Please let me know if this helped you or if there is a better (easier?) way of tdoing this - I would be glad to hear about it.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 18865036
First, thank you for your response Harsem.  I certainly appreciate the effort.  Unfortunately it didn't work for me.

<quote>"Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"

In my testing this had no effect on the tunnel group that the user received from the ASA.  I think this is possibly because I am using certificate based authentication and I believe you were testing with shared keys.  The certificate includes a designation for OU which typically corresponds to the vpn group.  The only way to avoid the group being assigned by the OU (that I am aware of) is to create a certificate group matching rule.  The group lock is something that I am already doing.
Thanks again for your reponse.


Expert Comment

ID: 18867994
Hello AlphaTechnologies,

yup you are right - I am using shared keys.

I hope someone else can help you further along.

Author Comment

ID: 19012150
I finally found out from Cisco TAC that they are going to implement this option in ASA software release 8.0 code via LDAP attribute mapping.

Accepted Solution

Computer101 earned 0 total points
ID: 19251490
PAQed with points refunded (500)

EE Admin

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question