I think, you are confusing ASA's and IOS's mechanism of group-lock.
The group-lock feature of IOS and ASA is quite different. On the IOS, you need to send the username with group-name with deliminator on the client. The group name with the username should match the group name on the server. With ASA, the group-name configured on the username and group using group-lock should match the tunnel-group on which the request lands. With ASA, you should send the username alone without group-name from client like remote-vpn and while with IOS, you send [email protected]. The username on AAA for IOS should be [email protected]. and ASA should be remote-vpn. With regards Kings On Sun, Dec 5, 2010 at 5:01 AM, Jerome Dolphin <[email protected]> wrote: > Hi Tyson, the ones we would expect. I think the ASA does not look at the > post @ text in a username for group-lock validation? > > ----------------------------------------- > ASA2# deb cry isa > %ASA-6-302015: Built inbound UDP connection 13 for outside: > 192.1.49.100/1156 (192.1.49.100/1156) to identity:192.168.5.5/500 ( > 192.168.5.5/500) > %ASA-7-713236: IP = 192.1.49.100, IKE_DECODE RECEIVED Message (msgid=0) > with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + > VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total > length : 849 > > <omitted> > > %ASA-7-713906: IP = 192.1.49.100, Connection landed on tunnel_group EZVPN > > <omitted> > > %ASA-7-715047: Group = EZVPN, IP = 192.1.49.100, processing IKE SA payload > > <omitted> > > %ASA-7-715001: Group = EZVPN, IP = 192.1.49.100, Processing MODE_CFG Reply > attributes. > %ASA-6-113004: AAA user authentication Successful : server = 192.1.12.100 > : user = remote-...@r5-ezvpn > %ASA-6-113009: AAA retrieved default group policy (EZVPN_GP) for user = > remote-...@r5-ezvpn > %ASA-6-113008: AAA transaction status ACCEPT : user = remote-...@r5-ezvpn > ----------------------------------------- > > > > On Sun, Dec 5, 2010 at 6:09 AM, Tyson Scott <[email protected]> wrote: > >> when you turn on the debug what tunnel and group-policy is authenticating >> the other user? >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Managing Partner / Sr. Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Jerome Dolphin >> *Sent:* Saturday, December 04, 2010 3:59 AM >> *To:* OSL Security >> *Subject:* [OSL | CCIE_Security] Lab 17 Task 4.4 / ASA remote access VPN >> >> >> >> Hi again. >> >> Looks like I'm running into a lot of issues on this lab :) >> >> Task 4.4 asks that we only allow the user to be authorized against a group >> if they are assigned to the group. This must be restricted locally on ASA2. >> >> I've configured group-lock on the group-policy, but for some reason it's >> not working as expected because the user created in the previous task named >> remote-...@r5-ezvpn can login. Any idea what I'm missing? I think I've >> matched the solution guide answer... >> >> I could configure the Tunnel-Group-Lock radius attribute on the ACS, but I >> think that breaks the requirements of the task and it is not mentioned in >> the solutions? >> >> group-policy EZVPN_GP internal >> group-policy EZVPN_GP attributes >> banner value Welcome to IPexpert >> group-lock value EZVPN >> split-tunnel-policy tunnelspecified >> split-tunnel-network-list value SPLIT_TUNNEL01 >> default-domain value ipexpert.com >> user-authentication enable >> >> ASA2# show run tunnel-g >> tunnel-group EZVPN type remote-access >> tunnel-group EZVPN general-attributes >> address-pool EZVPN_POOL01 >> authentication-server-group RADIUS01 >> default-group-policy EZVPN_GP >> authorization-required >> tunnel-group EZVPN ipsec-attributes >> pre-shared-key * >> ASA2# >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
