I think, it's better to lab and see what's happening. Snippet from http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1516834 User-VPN-Group
The User-VPN-Group attribute is a replacement for the Group-Lock<#wp1517104>attribute. It allows support for both preshared key and RSA signature authentication mechanisms such as certificates. If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to. The group the user belongs to is matched against the VPN group as defined by group name (ID_KEY_ID) for preshared keys or by the OU field of a certificate. If the groups do not match, the client connection is terminated. This feature works only with AAA RADIUS. Local Xauth authentication must still use the Group-Lock attribute. BTW, why are you using IOS Radius attribute for ASA authorization? With regards Kings On Thu, Sep 15, 2011 at 8:00 AM, Mark Senteza <[email protected]>wrote: > OK. > > So it really does do the same thing as the "ipsec:user-vpn-group" commands > under the "Cisco IOS/PIX Radius Attributes" > > To me it seemed to do just that, but thought there might be a difference. > > > On Wed, Sep 14, 2011 at 6:40 PM, Jim Terry <[email protected]> wrote: > >> It directly adds the user to the ASA group that the OU=xx; points to. >> >> JT >> >> >> On Wed, Sep 14, 2011 at 7:03 PM, Mark Senteza <[email protected]> >> wrote: >> > Jim, >> > >> > so you're saying that the [025] Class setting overrides the >> > "ipsec:user-vpn-group" setting or directly adding the user to the group >> ? >> > Is that right >> > >> > Mark >> > >> > On Wed, Sep 14, 2011 at 5:58 PM, Jim Terry <[email protected]> wrote: >> >> >> >> Hi Mark, >> >> >> >> The OU on the ACS will override what is on the ASA- even if it is the >> >> same. A practical application is you put all vpn users into one >> >> tunnel group/group policy with no access. Then match them by OU and >> >> put them in a diff group policy on the ASA based on HR/Execs etc. >> >> >> >> JT >> >> >> >> >> >> >> >> On Wed, Sep 14, 2011 at 4:12 PM, Mark Senteza <[email protected] >> > >> >> wrote: >> >> > Kingsley, >> >> > >> >> > I did have the default-group-policy defined under the tunnel-group >> >> > configuration. The config >> >> > >> >> > group-policy EZVPN external server-group RADIUS password cisco >> >> > >> >> > tunnel-group EZVPN type remote-access >> >> > tunnel-group EZVPN general-attributes >> >> > default-group-policy EZVPN >> >> > >> >> > >> >> > On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles >> >> > <[email protected]> wrote: >> >> >> >> >> >> When you don't have the "default-group-policy" configured under the >> >> >> tunnel >> >> >> general sub-mode, then ASA will not know which group policy to >> apply. >> >> >> In >> >> >> that case, you should add Radius AV 25 to the Xauth user account on >> ACS >> >> >> and >> >> >> that should be the external group policy name that you have >> configured >> >> >> on >> >> >> the ASA. >> >> >> >> >> >> >> >> >> With regards >> >> >> Kings >> >> >> >> >> >> On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza < >> [email protected]> >> >> >> wrote: >> >> >>> >> >> >>> Hello all, >> >> >>> >> >> >>> I have my ASA setup as an EZVPN server, with an externally >> configured >> >> >>> group-policy on the RADIUS server, like so: >> >> >>> >> >> >>> group-policy EZVPN external server-group RADIUS >> >> >>> password >> >> >>> cisco >> >> >>> >> >> >>> My group setup has the following: >> >> >>> >> >> >>> Group renamed to "EZVPN" >> >> >>> >> >> >>> Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes >> >> >>> [3076\011] Tunneling-Protocol >> = >> >> >>> WebVPN & IPSec >> >> >>> [3076\072] IPSec-Split-Tunnel-List = >> >> >>> SPLIT-TUNNEL <- >> >> >>> SPLIT-TUNNEL ACL configured on the ASA >> >> >>> [3076\055] IPSec-Split-Tunneling-Policy = >> Only >> >> >>> tunnel networks in the list >> >> >>> [3076\217] Address-Pools >> = >> >> >>> EZVPN >> >> >>> <- >> >> >>> EZVPN address pool configured on the ASA >> >> >>> >> >> >>> I have a user setup (for pulling down Radius Attributes) as >> follows: >> >> >>> User Name: EZVPN (same name as the Group) >> >> >>> Password: cisco >> >> >>> >> >> >>> And finally my XAUTH User Setup >> >> >>> User Name: ezvpnuser >> >> >>> Password: cisco >> >> >>> >> >> >>> setup config for test 1 - under Cisco IOS/PIX 6.x >> >> >>> RADIUS >> >> >>> Attributes >> >> >>> >> >> >>> [009\001] >> >> >>> cisco-av-pair >> >> >>> >> >> >>> ipsec:user-vpn-group=EZVPN >> >> >>> >> >> >>> >> >> >>> setup config for test 2 - under IETF RADIUS >> Attributes >> >> >>> >> [025] >> >> >>> Class >> >> >>> >> >> >>> OU=EZVPN; >> >> >>> >> >> >>> My question is related to the setup config I mentioned in the last >> >> >>> section for test 1 and test 2. When I use either config for the >> XAUTH >> >> >>> user I >> >> >>> am still able to successfully establish a VPN connection to the ASA >> >> >>> EZVPN >> >> >>> server. The user is assigned the attributes as defined in the group >> >> >>> setup >> >> >>> and encrypts traffic only to the split-tunnel networks. >> >> >>> >> >> >>> Why and when would I have to use the "[025] Class" config under the >> >> >>> IETF >> >> >>> RADIUS Attributes for the user ? >> >> >>> >> >> >>> Mark >> >> >>> >> >> >>> _______________________________________________ >> >> >>> For more information regarding industry leading CCIE Lab training, >> >> >>> please >> >> >>> visit www.ipexpert.com >> >> >>> >> >> >>> Are you a CCNP or CCIE and looking for a job? Check out >> >> >>> www.PlatinumPlacement.com >> >> >> >> >> > >> >> > >> >> > _______________________________________________ >> >> > For more information regarding industry leading CCIE Lab training, >> >> > please >> >> > visit www.ipexpert.com >> >> > >> >> > Are you a CCNP or CCIE and looking for a job? Check out >> >> > www.PlatinumPlacement.com >> >> > >> > >> > >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
