Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco ASA remote access tunnel group RADIUS question

Posted on 2007-04-04
Medium Priority
Last Modified: 2012-08-14
I am setting up certificate based authentication on a Cisco ASA 5520 for remote access vpn.  I am using Microsoft RADIUS on the inside interface to do the auth.  The difficulty I am having is selecting the proper tunnel group for each user.  I would like to be able to select the tunnel group based on an AD group.  I am looking into setting up certificate group matching rules but am not sure if there is a better way.  With certificate group matching rules I think I would have to setup a rule for each individual user name.  I want to avoid this if possible.   Is there a radius attribute or something that will select the tunnel group on the ASA based on the RADIUS policies and AD group?  Thank you.
Question by:AlphaTechnologies
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Expert Comment

ID: 18861326
Why do you want to set up the tunnel groups based on AD groups?
What are you trying to accomplish with that?

Author Comment

ID: 18861579
I am trying to setup individual subnets \ vlans for different groups of users that need remote access to my network.  The idea being that when a user connects the RADIUS server places the user in a vlan based on policy attributes and the tunnel group on the ASA assigns the appropriate dhcp subnet, dns, etc.  This way I can isolate users based on their vlan and subnet.  
This is the method that I am using now.  The only problem is that I have to add a new certificate group matching rule on the ASA so that the user will be assigned the appropriate tunnel group and I also have to add the user to an AD group so that the user will be assigned the appropriate RADIUS policy.  I would much rather be able to somehow accomplish both tasks based on the user AD group alone.

Expert Comment

ID: 18861700
Hello AlphaTechnologies,

I hope I am answering you correctly - so here is what we have done. My concern has been that people will try to log in with the wrong tunnel-group and as such are given access to resources they should not be. So what I am about to write about will only allow check to make sure they have got the right one. If they do not then they get given the defualt tunnel-group which has a deny ip any any in it that blocks them completely from accesing anything.

Firs tthe thing that I struggled with, the MS IAS Server (RADIUS). I am assuming you know how to set this up in a basic way. Here go into "Remote Access Policies" and you will now have to create a new policy for each VPN Group. Within this Policy enter a new Policy condition where it has to match your Windows (AD) group. So that this policy only gets applied if that user belongs to that specific group. Obviously if a user belongs to 2 groups the first policy in the list will be applied.

Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"
where "Tunnel-group-name" is the tunnel-group you want to apply in the Cisco ASA.

That is your Windows side done. Obviously you need to configure your ASA to talk to your IAS Server and have the shared secret worked out - but I am assuming you have this already in place.

On your Cisco Pix side you can then enter:

group-policy MyPolicy internal
group-policy MyPolicy attributes
 vpn-simultaneous-logins 2
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter value ACL_Tunnel-group-name
 group-lock value Tunnel-group-name
 default-domain value my.domain.int

that group-lock value is what we are after here this is the name of an existing tunnel-group that the users are required to connect with. This way you are safeguarding yourself on the Cisco ASA that users have entered the correctt tunnel-group on their VPN Client and have been given the right tunnel-group from the IAS Server.

I do not know a way of overriding the settings on the Cisco VPN client - and I am not even sure if this is possible. However this is what we have - and it seems to work (whenever I do an audit it seems to work).

Please let me know if this helped you or if there is a better (easier?) way of tdoing this - I would be glad to hear about it.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 18865036
First, thank you for your response Harsem.  I certainly appreciate the effort.  Unfortunately it didn't work for me.

<quote>"Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"

In my testing this had no effect on the tunnel group that the user received from the ASA.  I think this is possibly because I am using certificate based authentication and I believe you were testing with shared keys.  The certificate includes a designation for OU which typically corresponds to the vpn group.  The only way to avoid the group being assigned by the OU (that I am aware of) is to create a certificate group matching rule.  The group lock is something that I am already doing.
Thanks again for your reponse.


Expert Comment

ID: 18867994
Hello AlphaTechnologies,

yup you are right - I am using shared keys.

I hope someone else can help you further along.

Author Comment

ID: 19012150
I finally found out from Cisco TAC that they are going to implement this option in ASA software release 8.0 code via LDAP attribute mapping.

Accepted Solution

Computer101 earned 0 total points
ID: 19251490
PAQed with points refunded (500)

EE Admin

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Considering cloud tradeoffs and determining the right mix for your organization.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question