Hi guys. Just for my own sanity, can someone confirm this understanding
(ignoring the VPN concentrators).

The 'old' Group-Lock (where users can be assigned to specific VPN groups) is
ONLY now supported when using LOCAL authentication?

Secondly, if I use RADIUS for authentication I can only 'check' that the
group name the user is trying to connect to is valid, using the
Tunnel-group-lock attribute on the ACS. If the group name matches the user
is allowed, if not, it fails.

Is this correct - I'd appreciate your comments (Tyson especially :-) See you
next month in Ohio for your bootcamp!).

Dazzler

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Tyson Scott
Sent: 06 November 2009 04:17
To: 'imran mohammed'
Cc: 'Cisco certification'; 'OSL CCIE Security Lab Exam'
Subject: RE: [OSL | CCIE_Security] Group attribute settings in ezvpn

Here is the information from Cisco.  One note is that it actually also works
with TACACS+

 

User-VPN-Group

The User-VPN-Group attribute is a replacement for the
<http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hunity.
html#wp1140480> Group-Lock attribute. It allows support for both preshared
key and RSA signature authentication mechanisms such as certificates.

If you need to check that the group a user is attempting to connect to is
indeed the group the user belongs to, use the User-VPN-Group attribute. The
administrator sets this attribute to a string, which is the group that the
user belongs to. The group the user belongs to is matched against the VPN
group as defined by group name (ID_KEY_ID) for preshared keys or by the OU
field of a certificate. If the groups do not match, the client connection is
terminated.

This feature works only with AAA RADIUS. Local Xauth authentication must
still use the Group-Lock attribute.

The following is an output example of a RADIUS AV pair for the Use-VPN-Group
attribute:

ipsec:user-vpn-group=cisco

 

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto: [email protected]

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com

 

From: imran mohammed [mailto:[email protected]] 
Sent: Thursday, November 05, 2009 12:49 PM
To: Tyson Scott
Cc: Cisco certification; OSL CCIE Security Lab Exam
Subject: Re: [OSL | CCIE_Security] Group attribute settings in ezvpn

 

Hi Tyson,

I totally agree with ur point ,actually I did that it works fine.

If iam not wrong normally first the group attributes will be applied to the
user, suppose in my case MYPOOL when I add the attribute to the user setup
it works fine as u said.But here I want MYPOOL be assigned to all the users
in the group , so I have put that in group setup and removed from user setup
(as user attribute override the group attribute) so when I do that I dont
get the ip address assign ie the group attributes are not
been assigned , it not just the pool even the other attributes like DNS..

One more point is that the user which I have created for example user1 and
if my group is MYGROUP, do i need to add this user user1 in to MYGROUP coz
in my ACS config it is in default group, if i put in MYGROUP it works fine
as expected.

If we do that then whats the use of having ipsec:user-vpn-group AV ?

Regards
Imran




On Thu, Nov 5, 2009 at 10:54 PM, Tyson Scott <[email protected]> wrote:

Add all the settings to the users group or add all the settings to the user
and it will work fine.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto: [email protected]

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service
Provider) Certification Training with locations throughout the United
States, Europe and Australia. Be sure to check out our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com

 

From: [email protected]
[mailto:[email protected]] On Behalf Of imran
mohammed
Sent: Thursday, November 05, 2009 12:03 PM
To: Cisco certification; OSL CCIE Security Lab Exam
Subject: [OSL | CCIE_Security] Group attribute settings in ezvpn

 

Hi All,



This time I am working with Radius Xauth and authorization for ezvpn.
This is what iam trying to configure, users get authenticated (which is
working ) the ACS should respond with the group information (in my case
MYGROUP) so that all the policies belong
to that group should assigned to that user.

Under group settings I have configured..

ipsec:addr-pool=MYPOOL
ipsec:inacl=100
ipsec:split-dns=company.com
ipsec:dns-servers=30.1.1.128

under user (the user belongs to default group )

ipsec:user-vpn-group=MYGROUP

Now things work fine if assign the user to MYGROUP or  define
ipsec:addr-pool=MYPOOL under user setting.

The problem is even though ACS tells that the user belongs to MYGROUP the
group level attributes are not implemented so I dont get assign with the ip
address from (as i see that in debug isakmp).If I put the pool AV in user
setting it works fine.

Here is my radius debug*Mar  1 01:05:50.943: RADIUS/ENCODE(00000019):Orig.
component type = VPN_IPSEC
*Mar  1 01:05:50.947: RADIUS:  AAA Unsupported Attr: interface         [174]
8
*Mar  1 01:05:50.947: RADIUS:   31 30 2E 31 2E 31
[10.1.1]
*Mar  1 01:05:50.951: RADIUS(00000019): Config NAS IP: 100.1.1.10
*Mar  1 01:05:50.955: RADIUS/ENCODE(00000019): acct_session_id: 25
*Mar  1 01:05:50.955: RADIUS(00000019): sending
*Mar  1 01:05:50.967: RADIUS(00000019): Send Access-Request to
30.1.1.128:1645 id 1645/19, len 91
*Mar  1 01:05:50.971: RADIUS:  authenticator A9 96 66 51 F0 F1 28 04 - 19 D2
EF 59 E1 25 A5 0B
*Mar  1 01:05:50.975: RADIUS:  User-Name           [1]   9   "MYGROUP"
*Mar  1 01:05:50.979: RADIUS:  User-Password       [2]   18  *
*Mar  1 01:05:50.979: RADIUS:  Calling-Station-Id  [31]  10  "50.1.1.2"
*Mar  1 01:05:50.979: RADIUS:  NAS-Port-Type       [61]  6   Virtual
[5]
*Mar  1 01:05:50.979: RADIUS:  NAS-Port            [5]   6   0
R0#
*Mar  1 01:05:50.979: RADIUS:  NAS-Port-Id         [87]  10  "10.1.1.2"
*Mar  1 01:05:50.979: RADIUS:  Service-Type        [6]   6   Outbound
[5]
*Mar  1 01:05:50.979: RADIUS:  NAS-IP-Address      [4]   6   100.1.1.10
*Mar  1 01:05:51.023: RADIUS: Received from id 1645/19 30.1.1.128:1645,
Access-Accept, len 241
*Mar  1 01:05:51.027: RADIUS:  authenticator EF FD 95 01 38 65 96 42 - 69 ED
BB BB 3B 9B 76 CE
*Mar  1 01:05:51.031: RADIUS:  Vendor, Cisco       [26]  30
*Mar  1 01:05:51.035: RADIUS:   Cisco AVpair       [1]   24
"ipsec:addr-pool=MYPOOL"
*Mar  1 01:05:51.035: RADIUS:  Vendor, Cisco       [26]  23
*Mar  1 01:05:51.039: RADIUS:   Cisco AVpair       [1]   17
"ipsec:inacl=100"
*Mar  1 01:05:51.043: RADIUS:  Vendor, Cisco       [26]  35
*Mar  1 01:05:51.043: RADIUS:   Cisco AVpair       [1]   29
"ipsec:split-dns=company.com"
*Mar  1 01:05:51.047: RADIUS:  Vendor, Cisco       [26]  36
*Mar  1 01:05:51
R0#.047: RADIUS:   Cisco AVpair       [1]   30
"ipsec:dns-servers=30.1.1.128"
*Mar  1 01:05:51.047: RADIUS:  Service-Type        [6]   6   Outbound
[5]
*Mar  1 01:05:51.047: RADIUS:  Tunnel-Type         [64]  6   01:ESP
[9]
*Mar  1 01:05:51.047: RADIUS:  Tunnel-Password     [69]  21  01:*
*Mar  1 01:05:51.047: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
*Mar  1 01:05:51.047: RADIUS:  Class               [25]  23
*Mar  1 01:05:51.047: RADIUS:   43 41 43 53 3A 30 2F 33 61 35 2F 36 34 30 31
30  [CACS:0/3a5/64010]
*Mar  1 01:05:51.047: RADIUS:   31 30 61 2F 30
[10a/0]
*Mar  1 01:05:51.047: RADIUS:  Vendor, Cisco       [26]  35
*Mar  1 01:05:51.047: RADIUS:   Cisco AVpair       [1]   29
"aaa:supplicant-name=MYGROUP"
*Mar  1 01:05:51.055: RADIUS(00000019): Received from id 1645/19
*Mar  1 01:05:51.059: RADIUS/DECODE: parse unknown cisco vsa
"supplicant-name" - IGNORE
R0#
*Mar  1 01:05:56.563: RADIUS/ENCODE(0000001A):Orig. component type =
VPN_IPSEC
*Mar  1 01:05:56.571: RADIUS:  AAA Unsupported Attr: interface         [174]
8
*Mar  1 01:05:56.575: RADIUS:   31 30 2E 31 2E 31
[10.1.1]
*Mar  1 01:05:56.579: RADIUS/ENCODE(0000001A): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off
*Mar  1 01:05:56.583: RADIUS(0000001A): Config NAS IP: 100.1.1.10
*Mar  1 01:05:56.583: RADIUS/ENCODE(0000001A): acct_session_id: 26
*Mar  1 01:05:56.587: RADIUS(0000001A): sending
*Mar  1 01:05:56.599: RADIUS(0000001A): Send Access-Request to
30.1.1.128:1645 id 1645/20, len 83
*Mar  1 01:05:56.603: RADIUS:  authenticator 35 8B D2 5B 41 83 34 6D - 20 68
93 AD DC F6 20 18
*Mar  1 01:05:56.607: RADIUS:  User-Name           [1]   7   "imran"
*Mar  1 01:05:56.611: RADIUS:  User-Password       [2]   18  *
*Mar  1 01:05:56.611: RADIUS:  Calling-Station-Id  [31]  10  "50.1.1.2"
*Mar  1 01:05:56.615: RADIUS:  NA
R0#S-Port-Type       [61]  6   Virtual                   [5]
*Mar  1 01:05:56.619: RADIUS:  NAS-Port            [5]   6   0
*Mar  1 01:05:56.623: RADIUS:  NAS-Port-Id         [87]  10  "10.1.1.2"
*Mar  1 01:05:56.623: RADIUS:  NAS-IP-Address      [4]   6   100.1.1.10
*Mar  1 01:05:56.647: RADIUS: Received from id 1645/20 30.1.1.128:1645,
Access-Accept, len 151
*Mar  1 01:05:56.655: RADIUS:  authenticator CA 45 50 3D F6 25 96 7F - 5B 84
BE FF 27 1D 63 83
*Mar  1 01:05:56.659: RADIUS:  Service-Type        [6]   6   Outbound
[5]
*Mar  1 01:05:56.659: RADIUS:  Tunnel-Type         [64]  6   01:ESP
[9]
*Mar  1 01:05:56.663: RADIUS:  Tunnel-Password     [69]  21  01:*
*Mar  1 01:05:56.667: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
*Mar  1 01:05:56.671: RADIUS:  Vendor, Cisco       [26]  36
*Mar  1 01:05:56.675: RADIUS:   Cisco AVpair       [1]   30
"ipsec:user-vpn-group=MYGROUP"
*
R0#Mar  1 01:05:56.675: RADIUS:  Class               [25]  23
*Mar  1 01:05:56.675: RADIUS:   43 41 43 53 3A 30 2F 33 61 37 2F 36 34 30 31
30  [CACS:0/3a7/64010]
*Mar  1 01:05:56.675: RADIUS:   31 30 61 2F 30
[10a/0]
*Mar  1 01:05:56.675: RADIUS:  Vendor, Cisco       [26]  33
*Mar  1 01:05:56.675: RADIUS:   Cisco AVpair       [1]   27
"aaa:supplicant-name=imran"
*Mar  1 01:05:56.679: RADIUS(0000001A): Received from id 1645/20
*Mar  1 01:05:56.687: RADIUS/DECODE: parse unknown cisco vsa
"supplicant-name" - IGNORE
R0#





Here is the config

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp profile MYPROFILE
   match identity group MYGROUP
   client authentication list MYAUTH
   isakmp authorization list MYAUTHO
   client configuration address respond
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNAMIC 10
 set transform-set 3DES_MD5
 set isakmp-profile MYPROFILE
 reverse-route
crypto map MYMAP 10 ipsec-isakmp dynamic DYNAMIC
ip radius source-interface Loopback1
access-list 100 permit ip 30.1.1.0 0.0.0.255 any
radius-server host 30.1.1.128 auth-port 1645 acct-port 1646 key cisco123

Let me know if any info is required.

Regards
Imran

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to