OK. So it really does do the same thing as the "ipsec:user-vpn-group" commands under the "Cisco IOS/PIX Radius Attributes"
To me it seemed to do just that, but thought there might be a difference. On Wed, Sep 14, 2011 at 6:40 PM, Jim Terry <[email protected]> wrote: > It directly adds the user to the ASA group that the OU=xx; points to. > > JT > > > On Wed, Sep 14, 2011 at 7:03 PM, Mark Senteza <[email protected]> > wrote: > > Jim, > > > > so you're saying that the [025] Class setting overrides the > > "ipsec:user-vpn-group" setting or directly adding the user to the group > ? > > Is that right > > > > Mark > > > > On Wed, Sep 14, 2011 at 5:58 PM, Jim Terry <[email protected]> wrote: > >> > >> Hi Mark, > >> > >> The OU on the ACS will override what is on the ASA- even if it is the > >> same. A practical application is you put all vpn users into one > >> tunnel group/group policy with no access. Then match them by OU and > >> put them in a diff group policy on the ASA based on HR/Execs etc. > >> > >> JT > >> > >> > >> > >> On Wed, Sep 14, 2011 at 4:12 PM, Mark Senteza <[email protected]> > >> wrote: > >> > Kingsley, > >> > > >> > I did have the default-group-policy defined under the tunnel-group > >> > configuration. The config > >> > > >> > group-policy EZVPN external server-group RADIUS password cisco > >> > > >> > tunnel-group EZVPN type remote-access > >> > tunnel-group EZVPN general-attributes > >> > default-group-policy EZVPN > >> > > >> > > >> > On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles > >> > <[email protected]> wrote: > >> >> > >> >> When you don't have the "default-group-policy" configured under the > >> >> tunnel > >> >> general sub-mode, then ASA will not know which group policy to apply. > >> >> In > >> >> that case, you should add Radius AV 25 to the Xauth user account on > ACS > >> >> and > >> >> that should be the external group policy name that you have > configured > >> >> on > >> >> the ASA. > >> >> > >> >> > >> >> With regards > >> >> Kings > >> >> > >> >> On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza < > [email protected]> > >> >> wrote: > >> >>> > >> >>> Hello all, > >> >>> > >> >>> I have my ASA setup as an EZVPN server, with an externally > configured > >> >>> group-policy on the RADIUS server, like so: > >> >>> > >> >>> group-policy EZVPN external server-group RADIUS > >> >>> password > >> >>> cisco > >> >>> > >> >>> My group setup has the following: > >> >>> > >> >>> Group renamed to "EZVPN" > >> >>> > >> >>> Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes > >> >>> [3076\011] Tunneling-Protocol = > >> >>> WebVPN & IPSec > >> >>> [3076\072] IPSec-Split-Tunnel-List = > >> >>> SPLIT-TUNNEL <- > >> >>> SPLIT-TUNNEL ACL configured on the ASA > >> >>> [3076\055] IPSec-Split-Tunneling-Policy = > Only > >> >>> tunnel networks in the list > >> >>> [3076\217] Address-Pools > = > >> >>> EZVPN > >> >>> <- > >> >>> EZVPN address pool configured on the ASA > >> >>> > >> >>> I have a user setup (for pulling down Radius Attributes) as follows: > >> >>> User Name: EZVPN (same name as the Group) > >> >>> Password: cisco > >> >>> > >> >>> And finally my XAUTH User Setup > >> >>> User Name: ezvpnuser > >> >>> Password: cisco > >> >>> > >> >>> setup config for test 1 - under Cisco IOS/PIX 6.x > >> >>> RADIUS > >> >>> Attributes > >> >>> > >> >>> [009\001] > >> >>> cisco-av-pair > >> >>> > >> >>> ipsec:user-vpn-group=EZVPN > >> >>> > >> >>> > >> >>> setup config for test 2 - under IETF RADIUS > Attributes > >> >>> [025] > >> >>> Class > >> >>> > >> >>> OU=EZVPN; > >> >>> > >> >>> My question is related to the setup config I mentioned in the last > >> >>> section for test 1 and test 2. When I use either config for the > XAUTH > >> >>> user I > >> >>> am still able to successfully establish a VPN connection to the ASA > >> >>> EZVPN > >> >>> server. The user is assigned the attributes as defined in the group > >> >>> setup > >> >>> and encrypts traffic only to the split-tunnel networks. > >> >>> > >> >>> Why and when would I have to use the "[025] Class" config under the > >> >>> IETF > >> >>> RADIUS Attributes for the user ? > >> >>> > >> >>> Mark > >> >>> > >> >>> _______________________________________________ > >> >>> For more information regarding industry leading CCIE Lab training, > >> >>> please > >> >>> visit www.ipexpert.com > >> >>> > >> >>> Are you a CCNP or CCIE and looking for a job? Check out > >> >>> www.PlatinumPlacement.com > >> >> > >> > > >> > > >> > _______________________________________________ > >> > For more information regarding industry leading CCIE Lab training, > >> > please > >> > visit www.ipexpert.com > >> > > >> > Are you a CCNP or CCIE and looking for a job? Check out > >> > www.PlatinumPlacement.com > >> > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
