It directly adds the user to the ASA group that the OU=xx; points to. JT
On Wed, Sep 14, 2011 at 7:03 PM, Mark Senteza <[email protected]> wrote: > Jim, > > so you're saying that the [025] Class setting overrides the > "ipsec:user-vpn-group" setting or directly adding the user to the group ? > Is that right > > Mark > > On Wed, Sep 14, 2011 at 5:58 PM, Jim Terry <[email protected]> wrote: >> >> Hi Mark, >> >> The OU on the ACS will override what is on the ASA- even if it is the >> same. A practical application is you put all vpn users into one >> tunnel group/group policy with no access. Then match them by OU and >> put them in a diff group policy on the ASA based on HR/Execs etc. >> >> JT >> >> >> >> On Wed, Sep 14, 2011 at 4:12 PM, Mark Senteza <[email protected]> >> wrote: >> > Kingsley, >> > >> > I did have the default-group-policy defined under the tunnel-group >> > configuration. The config >> > >> > group-policy EZVPN external server-group RADIUS password cisco >> > >> > tunnel-group EZVPN type remote-access >> > tunnel-group EZVPN general-attributes >> > default-group-policy EZVPN >> > >> > >> > On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles >> > <[email protected]> wrote: >> >> >> >> When you don't have the "default-group-policy" configured under the >> >> tunnel >> >> general sub-mode, then ASA will not know which group policy to apply. >> >> In >> >> that case, you should add Radius AV 25 to the Xauth user account on ACS >> >> and >> >> that should be the external group policy name that you have configured >> >> on >> >> the ASA. >> >> >> >> >> >> With regards >> >> Kings >> >> >> >> On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza <[email protected]> >> >> wrote: >> >>> >> >>> Hello all, >> >>> >> >>> I have my ASA setup as an EZVPN server, with an externally configured >> >>> group-policy on the RADIUS server, like so: >> >>> >> >>> group-policy EZVPN external server-group RADIUS >> >>> password >> >>> cisco >> >>> >> >>> My group setup has the following: >> >>> >> >>> Group renamed to "EZVPN" >> >>> >> >>> Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes >> >>> [3076\011] Tunneling-Protocol = >> >>> WebVPN & IPSec >> >>> [3076\072] IPSec-Split-Tunnel-List = >> >>> SPLIT-TUNNEL <- >> >>> SPLIT-TUNNEL ACL configured on the ASA >> >>> [3076\055] IPSec-Split-Tunneling-Policy = Only >> >>> tunnel networks in the list >> >>> [3076\217] Address-Pools = >> >>> EZVPN >> >>> <- >> >>> EZVPN address pool configured on the ASA >> >>> >> >>> I have a user setup (for pulling down Radius Attributes) as follows: >> >>> User Name: EZVPN (same name as the Group) >> >>> Password: cisco >> >>> >> >>> And finally my XAUTH User Setup >> >>> User Name: ezvpnuser >> >>> Password: cisco >> >>> >> >>> setup config for test 1 - under Cisco IOS/PIX 6.x >> >>> RADIUS >> >>> Attributes >> >>> >> >>> [009\001] >> >>> cisco-av-pair >> >>> >> >>> ipsec:user-vpn-group=EZVPN >> >>> >> >>> >> >>> setup config for test 2 - under IETF RADIUS Attributes >> >>> [025] >> >>> Class >> >>> >> >>> OU=EZVPN; >> >>> >> >>> My question is related to the setup config I mentioned in the last >> >>> section for test 1 and test 2. When I use either config for the XAUTH >> >>> user I >> >>> am still able to successfully establish a VPN connection to the ASA >> >>> EZVPN >> >>> server. The user is assigned the attributes as defined in the group >> >>> setup >> >>> and encrypts traffic only to the split-tunnel networks. >> >>> >> >>> Why and when would I have to use the "[025] Class" config under the >> >>> IETF >> >>> RADIUS Attributes for the user ? >> >>> >> >>> Mark >> >>> >> >>> _______________________________________________ >> >>> For more information regarding industry leading CCIE Lab training, >> >>> please >> >>> visit www.ipexpert.com >> >>> >> >>> Are you a CCNP or CCIE and looking for a job? Check out >> >>> www.PlatinumPlacement.com >> >> >> > >> > >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, >> > please >> > visit www.ipexpert.com >> > >> > Are you a CCNP or CCIE and looking for a job? Check out >> > www.PlatinumPlacement.com >> > > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
