Hi Kings, >With ASA, the group-name configured on the username and group >using group-lock should match the tunnel-group on which the request lands.
Thanks, understand. The WB question stipulates "Authenticate the group locally. Authenticate the user via radius Only allow the user to be authorized against the group if he is assigned to the group. This must be restricted locally on ASA2." What I am trying to understand is how this is achieved by provisioning a username "remote-...@ezvpn" on the radius server with no tunnel-group-lock attribute programmed? On Sun, Dec 5, 2010 at 5:03 PM, Kingsley Charles <[email protected] > wrote: > I think, you are confusing ASA's and IOS's mechanism of group-lock. > > > The group-lock feature of IOS and ASA is quite different. > > On the IOS, you need to send the username with group-name with deliminator > on the client. The group name with the username should match the group name > on the server. > > With ASA, the group-name configured on the username and group using > group-lock should match the tunnel-group on which the request lands. > > With ASA, you should send the username alone without group-name from client > like remote-vpn and while with IOS, you send [email protected]. > > The username on AAA for IOS should be [email protected]. and ASA should > be remote-vpn. > > > With regards > Kings > > On Sun, Dec 5, 2010 at 5:01 AM, Jerome Dolphin <[email protected]>wrote: > >> Hi Tyson, the ones we would expect. I think the ASA does not look at the >> post @ text in a username for group-lock validation? >> >> ----------------------------------------- >> ASA2# deb cry isa >> %ASA-6-302015: Built inbound UDP connection 13 for outside: >> 192.1.49.100/1156 (192.1.49.100/1156) to identity:192.168.5.5/500 ( >> 192.168.5.5/500) >> %ASA-7-713236: IP = 192.1.49.100, IKE_DECODE RECEIVED Message (msgid=0) >> with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + >> VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total >> length : 849 >> >> <omitted> >> >> %ASA-7-713906: IP = 192.1.49.100, Connection landed on tunnel_group EZVPN >> >> <omitted> >> >> %ASA-7-715047: Group = EZVPN, IP = 192.1.49.100, processing IKE SA payload >> >> <omitted> >> >> %ASA-7-715001: Group = EZVPN, IP = 192.1.49.100, Processing MODE_CFG Reply >> attributes. >> %ASA-6-113004: AAA user authentication Successful : server = 192.1.12.100 >> : user = remote-...@r5-ezvpn >> %ASA-6-113009: AAA retrieved default group policy (EZVPN_GP) for user = >> remote-...@r5-ezvpn >> %ASA-6-113008: AAA transaction status ACCEPT : user = remote-...@r5-ezvpn >> ----------------------------------------- >> >> >> >> On Sun, Dec 5, 2010 at 6:09 AM, Tyson Scott <[email protected]> wrote: >> >>> when you turn on the debug what tunnel and group-policy is authenticating >>> the other user? >>> >>> >>> >>> Regards, >>> >>> >>> >>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>> >>> Managing Partner / Sr. Instructor - IPexpert, Inc. >>> >>> Mailto: [email protected] >>> >>> Telephone: +1.810.326.1444, ext. 208 >>> >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> >>> eFax: +1.810.454.0130 >>> >>> >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Jerome Dolphin >>> *Sent:* Saturday, December 04, 2010 3:59 AM >>> *To:* OSL Security >>> *Subject:* [OSL | CCIE_Security] Lab 17 Task 4.4 / ASA remote access VPN >>> >>> >>> >>> Hi again. >>> >>> Looks like I'm running into a lot of issues on this lab :) >>> >>> Task 4.4 asks that we only allow the user to be authorized against a >>> group if they are assigned to the group. This must be restricted locally on >>> ASA2. >>> >>> I've configured group-lock on the group-policy, but for some reason it's >>> not working as expected because the user created in the previous task named >>> remote-...@r5-ezvpn can login. Any idea what I'm missing? I think I've >>> matched the solution guide answer... >>> >>> I could configure the Tunnel-Group-Lock radius attribute on the ACS, but >>> I think that breaks the requirements of the task and it is not mentioned in >>> the solutions? >>> >>> group-policy EZVPN_GP internal >>> group-policy EZVPN_GP attributes >>> banner value Welcome to IPexpert >>> group-lock value EZVPN >>> split-tunnel-policy tunnelspecified >>> split-tunnel-network-list value SPLIT_TUNNEL01 >>> default-domain value ipexpert.com >>> user-authentication enable >>> >>> ASA2# show run tunnel-g >>> tunnel-group EZVPN type remote-access >>> tunnel-group EZVPN general-attributes >>> address-pool EZVPN_POOL01 >>> authentication-server-group RADIUS01 >>> default-group-policy EZVPN_GP >>> authorization-required >>> tunnel-group EZVPN ipsec-attributes >>> pre-shared-key * >>> ASA2# >>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
