So "OU" is not required when we use "user-vpn-group" and it works, But I have not seen any docs.
In CCIE lab, I think it's safer to use "OU" With regards Kings On Fri, Sep 16, 2011 at 6:37 AM, Jim Terry <[email protected]> wrote: > Hi Mark, > > OU- always puts a users in that group. > user-vpn-group= if a user tries to login under the wrong group the > connection is terminated. If he logs with the right group- he is > allowed. > > JT > > > > On Wed, Sep 14, 2011 at 11:29 PM, Kingsley Charles > <[email protected]> wrote: > > I think, it's better to lab and see what's happening. > > > > Snippet from > > > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1516834 > > > > User-VPN-Group > > > > The User-VPN-Group attribute is a replacement for the Group-Lock > attribute. > > It allows support for both preshared key and RSA signature authentication > > mechanisms such as certificates. > > > > If you need to check that the group a user is attempting to connect to is > > indeed the group the user belongs to, use the User-VPN-Group attribute. > The > > administrator sets this attribute to a string, which is the group that > the > > user belongs to. The group the user belongs to is matched against the VPN > > group as defined by group name (ID_KEY_ID) for preshared keys or by the > OU > > field of a certificate. If the groups do not match, the client connection > is > > terminated. > > > > This feature works only with AAA RADIUS. Local Xauth authentication must > > still use the Group-Lock attribute. > > > > BTW, why are you using IOS Radius attribute for ASA authorization? > > > > With regards > > Kings > > > > On Thu, Sep 15, 2011 at 8:00 AM, Mark Senteza <[email protected]> > > wrote: > >> > >> OK. > >> > >> So it really does do the same thing as the "ipsec:user-vpn-group" > commands > >> under the "Cisco IOS/PIX Radius Attributes" > >> > >> To me it seemed to do just that, but thought there might be a > difference. > >> > >> On Wed, Sep 14, 2011 at 6:40 PM, Jim Terry <[email protected]> wrote: > >>> > >>> It directly adds the user to the ASA group that the OU=xx; points to. > >>> > >>> JT > >>> > >>> > >>> On Wed, Sep 14, 2011 at 7:03 PM, Mark Senteza <[email protected] > > > >>> wrote: > >>> > Jim, > >>> > > >>> > so you're saying that the [025] Class setting overrides the > >>> > "ipsec:user-vpn-group" setting or directly adding the user to the > >>> > group ? > >>> > Is that right > >>> > > >>> > Mark > >>> > > >>> > On Wed, Sep 14, 2011 at 5:58 PM, Jim Terry <[email protected]> > wrote: > >>> >> > >>> >> Hi Mark, > >>> >> > >>> >> The OU on the ACS will override what is on the ASA- even if it is > the > >>> >> same. A practical application is you put all vpn users into one > >>> >> tunnel group/group policy with no access. Then match them by OU and > >>> >> put them in a diff group policy on the ASA based on HR/Execs etc. > >>> >> > >>> >> JT > >>> >> > >>> >> > >>> >> > >>> >> On Wed, Sep 14, 2011 at 4:12 PM, Mark Senteza > >>> >> <[email protected]> > >>> >> wrote: > >>> >> > Kingsley, > >>> >> > > >>> >> > I did have the default-group-policy defined under the tunnel-group > >>> >> > configuration. The config > >>> >> > > >>> >> > group-policy EZVPN external server-group RADIUS password cisco > >>> >> > > >>> >> > tunnel-group EZVPN type remote-access > >>> >> > tunnel-group EZVPN general-attributes > >>> >> > default-group-policy EZVPN > >>> >> > > >>> >> > > >>> >> > On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles > >>> >> > <[email protected]> wrote: > >>> >> >> > >>> >> >> When you don't have the "default-group-policy" configured under > the > >>> >> >> tunnel > >>> >> >> general sub-mode, then ASA will not know which group policy to > >>> >> >> apply. > >>> >> >> In > >>> >> >> that case, you should add Radius AV 25 to the Xauth user account > on > >>> >> >> ACS > >>> >> >> and > >>> >> >> that should be the external group policy name that you have > >>> >> >> configured > >>> >> >> on > >>> >> >> the ASA. > >>> >> >> > >>> >> >> > >>> >> >> With regards > >>> >> >> Kings > >>> >> >> > >>> >> >> On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza > >>> >> >> <[email protected]> > >>> >> >> wrote: > >>> >> >>> > >>> >> >>> Hello all, > >>> >> >>> > >>> >> >>> I have my ASA setup as an EZVPN server, with an externally > >>> >> >>> configured > >>> >> >>> group-policy on the RADIUS server, like so: > >>> >> >>> > >>> >> >>> group-policy EZVPN external server-group RADIUS > >>> >> >>> password > >>> >> >>> cisco > >>> >> >>> > >>> >> >>> My group setup has the following: > >>> >> >>> > >>> >> >>> Group renamed to "EZVPN" > >>> >> >>> > >>> >> >>> Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes > >>> >> >>> [3076\011] Tunneling-Protocol > >>> >> >>> = > >>> >> >>> WebVPN & IPSec > >>> >> >>> [3076\072] IPSec-Split-Tunnel-List > >>> >> >>> = > >>> >> >>> SPLIT-TUNNEL > <- > >>> >> >>> SPLIT-TUNNEL ACL configured on the ASA > >>> >> >>> [3076\055] IPSec-Split-Tunneling-Policy = > >>> >> >>> Only > >>> >> >>> tunnel networks in the list > >>> >> >>> [3076\217] > >>> >> >>> Address-Pools = > >>> >> >>> EZVPN > >>> >> >>> <- > >>> >> >>> EZVPN address pool configured on the ASA > >>> >> >>> > >>> >> >>> I have a user setup (for pulling down Radius Attributes) as > >>> >> >>> follows: > >>> >> >>> User Name: EZVPN (same name as the Group) > >>> >> >>> Password: cisco > >>> >> >>> > >>> >> >>> And finally my XAUTH User Setup > >>> >> >>> User Name: ezvpnuser > >>> >> >>> Password: cisco > >>> >> >>> > >>> >> >>> setup config for test 1 - under Cisco IOS/PIX > 6.x > >>> >> >>> RADIUS > >>> >> >>> Attributes > >>> >> >>> > >>> >> >>> [009\001] > >>> >> >>> cisco-av-pair > >>> >> >>> > >>> >> >>> ipsec:user-vpn-group=EZVPN > >>> >> >>> > >>> >> >>> > >>> >> >>> setup config for test 2 - under IETF RADIUS > >>> >> >>> Attributes > >>> >> >>> > >>> >> >>> [025] > >>> >> >>> Class > >>> >> >>> > >>> >> >>> OU=EZVPN; > >>> >> >>> > >>> >> >>> My question is related to the setup config I mentioned in the > last > >>> >> >>> section for test 1 and test 2. When I use either config for the > >>> >> >>> XAUTH > >>> >> >>> user I > >>> >> >>> am still able to successfully establish a VPN connection to the > >>> >> >>> ASA > >>> >> >>> EZVPN > >>> >> >>> server. The user is assigned the attributes as defined in the > >>> >> >>> group > >>> >> >>> setup > >>> >> >>> and encrypts traffic only to the split-tunnel networks. > >>> >> >>> > >>> >> >>> Why and when would I have to use the "[025] Class" config under > >>> >> >>> the > >>> >> >>> IETF > >>> >> >>> RADIUS Attributes for the user ? > >>> >> >>> > >>> >> >>> Mark > >>> >> >>> > >>> >> >>> _______________________________________________ > >>> >> >>> For more information regarding industry leading CCIE Lab > training, > >>> >> >>> please > >>> >> >>> visit www.ipexpert.com > >>> >> >>> > >>> >> >>> Are you a CCNP or CCIE and looking for a job? Check out > >>> >> >>> www.PlatinumPlacement.com > >>> >> >> > >>> >> > > >>> >> > > >>> >> > _______________________________________________ > >>> >> > For more information regarding industry leading CCIE Lab training, > >>> >> > please > >>> >> > visit www.ipexpert.com > >>> >> > > >>> >> > Are you a CCNP or CCIE and looking for a job? Check out > >>> >> > www.PlatinumPlacement.com > >>> >> > > >>> > > >>> > > >> > >> > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com > >> > >> Are you a CCNP or CCIE and looking for a job? Check out > >> www.PlatinumPlacement.com > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
