Darren, As is mentioned below the ipsec:user-vpn-group= attribute replaces the ipsec:group-lock attribute. It isn't that it is not available it is that it is enhanced thru the new attribute.
The above attribute will work for both RADIUS and Tacacs+. Look forward to seeing you in class. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: Darren Johnson [mailto:[email protected]] Sent: Tuesday, October 12, 2010 12:15 AM To: 'Tyson Scott'; 'imran mohammed' Cc: 'Cisco certification'; 'OSL CCIE Security Lab Exam' Subject: RE: [OSL | CCIE_Security] Group attribute settings in ezvpn Hi guys. Just for my own sanity, can someone confirm this understanding (ignoring the VPN concentrators). The 'old' Group-Lock (where users can be assigned to specific VPN groups) is ONLY now supported when using LOCAL authentication? Secondly, if I use RADIUS for authentication I can only 'check' that the group name the user is trying to connect to is valid, using the Tunnel-group-lock attribute on the ACS. If the group name matches the user is allowed, if not, it fails. Is this correct - I'd appreciate your comments (Tyson especially :-) See you next month in Ohio for your bootcamp!). Dazzler -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Tyson Scott Sent: 06 November 2009 04:17 To: 'imran mohammed' Cc: 'Cisco certification'; 'OSL CCIE Security Lab Exam' Subject: RE: [OSL | CCIE_Security] Group attribute settings in ezvpn Here is the information from Cisco. One note is that it actually also works with TACACS+ User-VPN-Group The User-VPN-Group attribute is a replacement for the <http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hunity. html#wp1140480> Group-Lock attribute. It allows support for both preshared key and RSA signature authentication mechanisms such as certificates. If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to. The group the user belongs to is matched against the VPN group as defined by group name (ID_KEY_ID) for preshared keys or by the OU field of a certificate. If the groups do not match, the client connection is terminated. This feature works only with AAA RADIUS. Local Xauth authentication must still use the Group-Lock attribute. The following is an output example of a RADIUS AV pair for the Use-VPN-Group attribute: ipsec:user-vpn-group=cisco Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: imran mohammed [mailto:[email protected]] Sent: Thursday, November 05, 2009 12:49 PM To: Tyson Scott Cc: Cisco certification; OSL CCIE Security Lab Exam Subject: Re: [OSL | CCIE_Security] Group attribute settings in ezvpn Hi Tyson, I totally agree with ur point ,actually I did that it works fine. If iam not wrong normally first the group attributes will be applied to the user, suppose in my case MYPOOL when I add the attribute to the user setup it works fine as u said.But here I want MYPOOL be assigned to all the users in the group , so I have put that in group setup and removed from user setup (as user attribute override the group attribute) so when I do that I dont get the ip address assign ie the group attributes are not been assigned , it not just the pool even the other attributes like DNS.. One more point is that the user which I have created for example user1 and if my group is MYGROUP, do i need to add this user user1 in to MYGROUP coz in my ACS config it is in default group, if i put in MYGROUP it works fine as expected. If we do that then whats the use of having ipsec:user-vpn-group AV ? Regards Imran On Thu, Nov 5, 2009 at 10:54 PM, Tyson Scott <[email protected]> wrote: Add all the settings to the users group or add all the settings to the user and it will work fine. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of imran mohammed Sent: Thursday, November 05, 2009 12:03 PM To: Cisco certification; OSL CCIE Security Lab Exam Subject: [OSL | CCIE_Security] Group attribute settings in ezvpn Hi All, This time I am working with Radius Xauth and authorization for ezvpn. This is what iam trying to configure, users get authenticated (which is working ) the ACS should respond with the group information (in my case MYGROUP) so that all the policies belong to that group should assigned to that user. Under group settings I have configured.. ipsec:addr-pool=MYPOOL ipsec:inacl=100 ipsec:split-dns=company.com ipsec:dns-servers=30.1.1.128 under user (the user belongs to default group ) ipsec:user-vpn-group=MYGROUP Now things work fine if assign the user to MYGROUP or define ipsec:addr-pool=MYPOOL under user setting. The problem is even though ACS tells that the user belongs to MYGROUP the group level attributes are not implemented so I dont get assign with the ip address from (as i see that in debug isakmp).If I put the pool AV in user setting it works fine. Here is my radius debug*Mar 1 01:05:50.943: RADIUS/ENCODE(00000019):Orig. component type = VPN_IPSEC *Mar 1 01:05:50.947: RADIUS: AAA Unsupported Attr: interface [174] 8 *Mar 1 01:05:50.947: RADIUS: 31 30 2E 31 2E 31 [10.1.1] *Mar 1 01:05:50.951: RADIUS(00000019): Config NAS IP: 100.1.1.10 *Mar 1 01:05:50.955: RADIUS/ENCODE(00000019): acct_session_id: 25 *Mar 1 01:05:50.955: RADIUS(00000019): sending *Mar 1 01:05:50.967: RADIUS(00000019): Send Access-Request to 30.1.1.128:1645 id 1645/19, len 91 *Mar 1 01:05:50.971: RADIUS: authenticator A9 96 66 51 F0 F1 28 04 - 19 D2 EF 59 E1 25 A5 0B *Mar 1 01:05:50.975: RADIUS: User-Name [1] 9 "MYGROUP" *Mar 1 01:05:50.979: RADIUS: User-Password [2] 18 * *Mar 1 01:05:50.979: RADIUS: Calling-Station-Id [31] 10 "50.1.1.2" *Mar 1 01:05:50.979: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 01:05:50.979: RADIUS: NAS-Port [5] 6 0 R0# *Mar 1 01:05:50.979: RADIUS: NAS-Port-Id [87] 10 "10.1.1.2" *Mar 1 01:05:50.979: RADIUS: Service-Type [6] 6 Outbound [5] *Mar 1 01:05:50.979: RADIUS: NAS-IP-Address [4] 6 100.1.1.10 *Mar 1 01:05:51.023: RADIUS: Received from id 1645/19 30.1.1.128:1645, Access-Accept, len 241 *Mar 1 01:05:51.027: RADIUS: authenticator EF FD 95 01 38 65 96 42 - 69 ED BB BB 3B 9B 76 CE *Mar 1 01:05:51.031: RADIUS: Vendor, Cisco [26] 30 *Mar 1 01:05:51.035: RADIUS: Cisco AVpair [1] 24 "ipsec:addr-pool=MYPOOL" *Mar 1 01:05:51.035: RADIUS: Vendor, Cisco [26] 23 *Mar 1 01:05:51.039: RADIUS: Cisco AVpair [1] 17 "ipsec:inacl=100" *Mar 1 01:05:51.043: RADIUS: Vendor, Cisco [26] 35 *Mar 1 01:05:51.043: RADIUS: Cisco AVpair [1] 29 "ipsec:split-dns=company.com" *Mar 1 01:05:51.047: RADIUS: Vendor, Cisco [26] 36 *Mar 1 01:05:51 R0#.047: RADIUS: Cisco AVpair [1] 30 "ipsec:dns-servers=30.1.1.128" *Mar 1 01:05:51.047: RADIUS: Service-Type [6] 6 Outbound [5] *Mar 1 01:05:51.047: RADIUS: Tunnel-Type [64] 6 01:ESP [9] *Mar 1 01:05:51.047: RADIUS: Tunnel-Password [69] 21 01:* *Mar 1 01:05:51.047: RADIUS: Framed-IP-Address [8] 6 255.255.255.255 *Mar 1 01:05:51.047: RADIUS: Class [25] 23 *Mar 1 01:05:51.047: RADIUS: 43 41 43 53 3A 30 2F 33 61 35 2F 36 34 30 31 30 [CACS:0/3a5/64010] *Mar 1 01:05:51.047: RADIUS: 31 30 61 2F 30 [10a/0] *Mar 1 01:05:51.047: RADIUS: Vendor, Cisco [26] 35 *Mar 1 01:05:51.047: RADIUS: Cisco AVpair [1] 29 "aaa:supplicant-name=MYGROUP" *Mar 1 01:05:51.055: RADIUS(00000019): Received from id 1645/19 *Mar 1 01:05:51.059: RADIUS/DECODE: parse unknown cisco vsa "supplicant-name" - IGNORE R0# *Mar 1 01:05:56.563: RADIUS/ENCODE(0000001A):Orig. component type = VPN_IPSEC *Mar 1 01:05:56.571: RADIUS: AAA Unsupported Attr: interface [174] 8 *Mar 1 01:05:56.575: RADIUS: 31 30 2E 31 2E 31 [10.1.1] *Mar 1 01:05:56.579: RADIUS/ENCODE(0000001A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off *Mar 1 01:05:56.583: RADIUS(0000001A): Config NAS IP: 100.1.1.10 *Mar 1 01:05:56.583: RADIUS/ENCODE(0000001A): acct_session_id: 26 *Mar 1 01:05:56.587: RADIUS(0000001A): sending *Mar 1 01:05:56.599: RADIUS(0000001A): Send Access-Request to 30.1.1.128:1645 id 1645/20, len 83 *Mar 1 01:05:56.603: RADIUS: authenticator 35 8B D2 5B 41 83 34 6D - 20 68 93 AD DC F6 20 18 *Mar 1 01:05:56.607: RADIUS: User-Name [1] 7 "imran" *Mar 1 01:05:56.611: RADIUS: User-Password [2] 18 * *Mar 1 01:05:56.611: RADIUS: Calling-Station-Id [31] 10 "50.1.1.2" *Mar 1 01:05:56.615: RADIUS: NA R0#S-Port-Type [61] 6 Virtual [5] *Mar 1 01:05:56.619: RADIUS: NAS-Port [5] 6 0 *Mar 1 01:05:56.623: RADIUS: NAS-Port-Id [87] 10 "10.1.1.2" *Mar 1 01:05:56.623: RADIUS: NAS-IP-Address [4] 6 100.1.1.10 *Mar 1 01:05:56.647: RADIUS: Received from id 1645/20 30.1.1.128:1645, Access-Accept, len 151 *Mar 1 01:05:56.655: RADIUS: authenticator CA 45 50 3D F6 25 96 7F - 5B 84 BE FF 27 1D 63 83 *Mar 1 01:05:56.659: RADIUS: Service-Type [6] 6 Outbound [5] *Mar 1 01:05:56.659: RADIUS: Tunnel-Type [64] 6 01:ESP [9] *Mar 1 01:05:56.663: RADIUS: Tunnel-Password [69] 21 01:* *Mar 1 01:05:56.667: RADIUS: Framed-IP-Address [8] 6 255.255.255.255 *Mar 1 01:05:56.671: RADIUS: Vendor, Cisco [26] 36 *Mar 1 01:05:56.675: RADIUS: Cisco AVpair [1] 30 "ipsec:user-vpn-group=MYGROUP" * R0#Mar 1 01:05:56.675: RADIUS: Class [25] 23 *Mar 1 01:05:56.675: RADIUS: 43 41 43 53 3A 30 2F 33 61 37 2F 36 34 30 31 30 [CACS:0/3a7/64010] *Mar 1 01:05:56.675: RADIUS: 31 30 61 2F 30 [10a/0] *Mar 1 01:05:56.675: RADIUS: Vendor, Cisco [26] 33 *Mar 1 01:05:56.675: RADIUS: Cisco AVpair [1] 27 "aaa:supplicant-name=imran" *Mar 1 01:05:56.679: RADIUS(0000001A): Received from id 1645/20 *Mar 1 01:05:56.687: RADIUS/DECODE: parse unknown cisco vsa "supplicant-name" - IGNORE R0# Here is the config crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp profile MYPROFILE match identity group MYGROUP client authentication list MYAUTH isakmp authorization list MYAUTHO client configuration address respond crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac crypto dynamic-map DYNAMIC 10 set transform-set 3DES_MD5 set isakmp-profile MYPROFILE reverse-route crypto map MYMAP 10 ipsec-isakmp dynamic DYNAMIC ip radius source-interface Loopback1 access-list 100 permit ip 30.1.1.0 0.0.0.255 any radius-server host 30.1.1.128 auth-port 1645 acct-port 1646 key cisco123 Let me know if any info is required. Regards Imran _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
