Jim, so you're saying that the [025] Class setting overrides the "ipsec:user-vpn-group" setting or directly adding the user to the group ? Is that right
Mark On Wed, Sep 14, 2011 at 5:58 PM, Jim Terry <[email protected]> wrote: > Hi Mark, > > The OU on the ACS will override what is on the ASA- even if it is the > same. A practical application is you put all vpn users into one > tunnel group/group policy with no access. Then match them by OU and > put them in a diff group policy on the ASA based on HR/Execs etc. > > JT > > > > On Wed, Sep 14, 2011 at 4:12 PM, Mark Senteza <[email protected]> > wrote: > > Kingsley, > > > > I did have the default-group-policy defined under the tunnel-group > > configuration. The config > > > > group-policy EZVPN external server-group RADIUS password cisco > > > > tunnel-group EZVPN type remote-access > > tunnel-group EZVPN general-attributes > > default-group-policy EZVPN > > > > > > On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles > > <[email protected]> wrote: > >> > >> When you don't have the "default-group-policy" configured under the > tunnel > >> general sub-mode, then ASA will not know which group policy to apply. In > >> that case, you should add Radius AV 25 to the Xauth user account on ACS > and > >> that should be the external group policy name that you have configured > on > >> the ASA. > >> > >> > >> With regards > >> Kings > >> > >> On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza <[email protected]> > >> wrote: > >>> > >>> Hello all, > >>> > >>> I have my ASA setup as an EZVPN server, with an externally configured > >>> group-policy on the RADIUS server, like so: > >>> > >>> group-policy EZVPN external server-group RADIUS > password > >>> cisco > >>> > >>> My group setup has the following: > >>> > >>> Group renamed to "EZVPN" > >>> > >>> Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes > >>> [3076\011] Tunneling-Protocol = > >>> WebVPN & IPSec > >>> [3076\072] IPSec-Split-Tunnel-List = > >>> SPLIT-TUNNEL <- > >>> SPLIT-TUNNEL ACL configured on the ASA > >>> [3076\055] IPSec-Split-Tunneling-Policy = Only > >>> tunnel networks in the list > >>> [3076\217] Address-Pools = > >>> EZVPN <- > >>> EZVPN address pool configured on the ASA > >>> > >>> I have a user setup (for pulling down Radius Attributes) as follows: > >>> User Name: EZVPN (same name as the Group) > >>> Password: cisco > >>> > >>> And finally my XAUTH User Setup > >>> User Name: ezvpnuser > >>> Password: cisco > >>> > >>> setup config for test 1 - under Cisco IOS/PIX 6.x > RADIUS > >>> Attributes > >>> > [009\001] > >>> cisco-av-pair > >>> > >>> ipsec:user-vpn-group=EZVPN > >>> > >>> > >>> setup config for test 2 - under IETF RADIUS Attributes > >>> [025] > >>> Class > >>> > >>> OU=EZVPN; > >>> > >>> My question is related to the setup config I mentioned in the last > >>> section for test 1 and test 2. When I use either config for the XAUTH > user I > >>> am still able to successfully establish a VPN connection to the ASA > EZVPN > >>> server. The user is assigned the attributes as defined in the group > setup > >>> and encrypts traffic only to the split-tunnel networks. > >>> > >>> Why and when would I have to use the "[025] Class" config under the > IETF > >>> RADIUS Attributes for the user ? > >>> > >>> Mark > >>> > >>> _______________________________________________ > >>> For more information regarding industry leading CCIE Lab training, > please > >>> visit www.ipexpert.com > >>> > >>> Are you a CCNP or CCIE and looking for a job? Check out > >>> www.PlatinumPlacement.com > >> > > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
