Hi Mark, The OU on the ACS will override what is on the ASA- even if it is the same. A practical application is you put all vpn users into one tunnel group/group policy with no access. Then match them by OU and put them in a diff group policy on the ASA based on HR/Execs etc.
JT On Wed, Sep 14, 2011 at 4:12 PM, Mark Senteza <[email protected]> wrote: > Kingsley, > > I did have the default-group-policy defined under the tunnel-group > configuration. The config > > group-policy EZVPN external server-group RADIUS password cisco > > tunnel-group EZVPN type remote-access > tunnel-group EZVPN general-attributes > default-group-policy EZVPN > > > On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles > <[email protected]> wrote: >> >> When you don't have the "default-group-policy" configured under the tunnel >> general sub-mode, then ASA will not know which group policy to apply. In >> that case, you should add Radius AV 25 to the Xauth user account on ACS and >> that should be the external group policy name that you have configured on >> the ASA. >> >> >> With regards >> Kings >> >> On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza <[email protected]> >> wrote: >>> >>> Hello all, >>> >>> I have my ASA setup as an EZVPN server, with an externally configured >>> group-policy on the RADIUS server, like so: >>> >>> group-policy EZVPN external server-group RADIUS password >>> cisco >>> >>> My group setup has the following: >>> >>> Group renamed to "EZVPN" >>> >>> Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes >>> [3076\011] Tunneling-Protocol = >>> WebVPN & IPSec >>> [3076\072] IPSec-Split-Tunnel-List = >>> SPLIT-TUNNEL <- >>> SPLIT-TUNNEL ACL configured on the ASA >>> [3076\055] IPSec-Split-Tunneling-Policy = Only >>> tunnel networks in the list >>> [3076\217] Address-Pools = >>> EZVPN <- >>> EZVPN address pool configured on the ASA >>> >>> I have a user setup (for pulling down Radius Attributes) as follows: >>> User Name: EZVPN (same name as the Group) >>> Password: cisco >>> >>> And finally my XAUTH User Setup >>> User Name: ezvpnuser >>> Password: cisco >>> >>> setup config for test 1 - under Cisco IOS/PIX 6.x RADIUS >>> Attributes >>> [009\001] >>> cisco-av-pair >>> >>> ipsec:user-vpn-group=EZVPN >>> >>> >>> setup config for test 2 - under IETF RADIUS Attributes >>> [025] >>> Class >>> >>> OU=EZVPN; >>> >>> My question is related to the setup config I mentioned in the last >>> section for test 1 and test 2. When I use either config for the XAUTH user I >>> am still able to successfully establish a VPN connection to the ASA EZVPN >>> server. The user is assigned the attributes as defined in the group setup >>> and encrypts traffic only to the split-tunnel networks. >>> >>> Why and when would I have to use the "[025] Class" config under the IETF >>> RADIUS Attributes for the user ? >>> >>> Mark >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
