Solved

Cisco ASA remote access tunnel group RADIUS question

Posted on 2007-04-04
8
3,849 Views
Last Modified: 2012-08-14
I am setting up certificate based authentication on a Cisco ASA 5520 for remote access vpn.  I am using Microsoft RADIUS on the inside interface to do the auth.  The difficulty I am having is selecting the proper tunnel group for each user.  I would like to be able to select the tunnel group based on an AD group.  I am looking into setting up certificate group matching rules but am not sure if there is a better way.  With certificate group matching rules I think I would have to setup a rule for each individual user name.  I want to avoid this if possible.   Is there a radius attribute or something that will select the tunnel group on the ASA based on the RADIUS policies and AD group?  Thank you.
0
Comment
Question by:AlphaTechnologies
8 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
Comment Utility
Why do you want to set up the tunnel groups based on AD groups?
What are you trying to accomplish with that?
0
 

Author Comment

by:AlphaTechnologies
Comment Utility
I am trying to setup individual subnets \ vlans for different groups of users that need remote access to my network.  The idea being that when a user connects the RADIUS server places the user in a vlan based on policy attributes and the tunnel group on the ASA assigns the appropriate dhcp subnet, dns, etc.  This way I can isolate users based on their vlan and subnet.  
This is the method that I am using now.  The only problem is that I have to add a new certificate group matching rule on the ASA so that the user will be assigned the appropriate tunnel group and I also have to add the user to an AD group so that the user will be assigned the appropriate RADIUS policy.  I would much rather be able to somehow accomplish both tasks based on the user AD group alone.
0
 
LVL 5

Expert Comment

by:Harsem
Comment Utility
Hello AlphaTechnologies,

I hope I am answering you correctly - so here is what we have done. My concern has been that people will try to log in with the wrong tunnel-group and as such are given access to resources they should not be. So what I am about to write about will only allow check to make sure they have got the right one. If they do not then they get given the defualt tunnel-group which has a deny ip any any in it that blocks them completely from accesing anything.

Firs tthe thing that I struggled with, the MS IAS Server (RADIUS). I am assuming you know how to set this up in a basic way. Here go into "Remote Access Policies" and you will now have to create a new policy for each VPN Group. Within this Policy enter a new Policy condition where it has to match your Windows (AD) group. So that this policy only gets applied if that user belongs to that specific group. Obviously if a user belongs to 2 groups the first policy in the list will be applied.

Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"
OU=Tunnel-group-name;
where "Tunnel-group-name" is the tunnel-group you want to apply in the Cisco ASA.

That is your Windows side done. Obviously you need to configure your ASA to talk to your IAS Server and have the shared secret worked out - but I am assuming you have this already in place.

On your Cisco Pix side you can then enter:

group-policy MyPolicy internal
group-policy MyPolicy attributes
 dhcp-network-scope 172.24.0.0
 vpn-simultaneous-logins 2
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter value ACL_Tunnel-group-name
 group-lock value Tunnel-group-name
 default-domain value my.domain.int

that group-lock value is what we are after here this is the name of an existing tunnel-group that the users are required to connect with. This way you are safeguarding yourself on the Cisco ASA that users have entered the correctt tunnel-group on their VPN Client and have been given the right tunnel-group from the IAS Server.

I do not know a way of overriding the settings on the Cisco VPN client - and I am not even sure if this is possible. However this is what we have - and it seems to work (whenever I do an audit it seems to work).

Please let me know if this helped you or if there is a better (easier?) way of tdoing this - I would be glad to hear about it.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:AlphaTechnologies
Comment Utility
First, thank you for your response Harsem.  I certainly appreciate the effort.  Unfortunately it didn't work for me.

<quote>"Now the tricky part, go into "Edit Profile" and then onto the "Advanced" tab. In here clear everything and then add "Class" (does not seem to make sense but this works for me). Here type in"
OU=Tunnel-group-name;"<quote>

In my testing this had no effect on the tunnel group that the user received from the ASA.  I think this is possibly because I am using certificate based authentication and I believe you were testing with shared keys.  The certificate includes a designation for OU which typically corresponds to the vpn group.  The only way to avoid the group being assigned by the OU (that I am aware of) is to create a certificate group matching rule.  The group lock is something that I am already doing.
Thanks again for your reponse.

0
 
LVL 5

Expert Comment

by:Harsem
Comment Utility
Hello AlphaTechnologies,

yup you are right - I am using shared keys.

I hope someone else can help you further along.
0
 

Author Comment

by:AlphaTechnologies
Comment Utility
I finally found out from Cisco TAC that they are going to implement this option in ASA software release 8.0 code via LDAP attribute mapping.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Know what services you can and cannot, should and should not combine on your server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now