Can you combine them ? I've tried it and it doesnt fail to establish a VPN connection or get assigned to the right group.
On Fri, Sep 16, 2011 at 3:57 AM, Kingsley Charles < [email protected]> wrote: > So "OU" is not required when we use "user-vpn-group" and it works, But I > have not seen any docs. > > In CCIE lab, I think it's safer to use "OU" > > > With regards > Kings > > > On Fri, Sep 16, 2011 at 6:37 AM, Jim Terry <[email protected]> wrote: > >> Hi Mark, >> >> OU- always puts a users in that group. >> user-vpn-group= if a user tries to login under the wrong group the >> connection is terminated. If he logs with the right group- he is >> allowed. >> >> JT >> >> >> >> On Wed, Sep 14, 2011 at 11:29 PM, Kingsley Charles >> <[email protected]> wrote: >> > I think, it's better to lab and see what's happening. >> > >> > Snippet from >> > >> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1516834 >> > >> > User-VPN-Group >> > >> > The User-VPN-Group attribute is a replacement for the Group-Lock >> attribute. >> > It allows support for both preshared key and RSA signature >> authentication >> > mechanisms such as certificates. >> > >> > If you need to check that the group a user is attempting to connect to >> is >> > indeed the group the user belongs to, use the User-VPN-Group attribute. >> The >> > administrator sets this attribute to a string, which is the group that >> the >> > user belongs to. The group the user belongs to is matched against the >> VPN >> > group as defined by group name (ID_KEY_ID) for preshared keys or by the >> OU >> > field of a certificate. If the groups do not match, the client >> connection is >> > terminated. >> > >> > This feature works only with AAA RADIUS. Local Xauth authentication must >> > still use the Group-Lock attribute. >> > >> > BTW, why are you using IOS Radius attribute for ASA authorization? >> > >> > With regards >> > Kings >> > >> > On Thu, Sep 15, 2011 at 8:00 AM, Mark Senteza <[email protected]> >> > wrote: >> >> >> >> OK. >> >> >> >> So it really does do the same thing as the "ipsec:user-vpn-group" >> commands >> >> under the "Cisco IOS/PIX Radius Attributes" >> >> >> >> To me it seemed to do just that, but thought there might be a >> difference. >> >> >> >> On Wed, Sep 14, 2011 at 6:40 PM, Jim Terry <[email protected]> >> wrote: >> >>> >> >>> It directly adds the user to the ASA group that the OU=xx; points to. >> >>> >> >>> JT >> >>> >> >>> >> >>> On Wed, Sep 14, 2011 at 7:03 PM, Mark Senteza < >> [email protected]> >> >>> wrote: >> >>> > Jim, >> >>> > >> >>> > so you're saying that the [025] Class setting overrides the >> >>> > "ipsec:user-vpn-group" setting or directly adding the user to the >> >>> > group ? >> >>> > Is that right >> >>> > >> >>> > Mark >> >>> > >> >>> > On Wed, Sep 14, 2011 at 5:58 PM, Jim Terry <[email protected]> >> wrote: >> >>> >> >> >>> >> Hi Mark, >> >>> >> >> >>> >> The OU on the ACS will override what is on the ASA- even if it is >> the >> >>> >> same. A practical application is you put all vpn users into one >> >>> >> tunnel group/group policy with no access. Then match them by OU >> and >> >>> >> put them in a diff group policy on the ASA based on HR/Execs etc. >> >>> >> >> >>> >> JT >> >>> >> >> >>> >> >> >>> >> >> >>> >> On Wed, Sep 14, 2011 at 4:12 PM, Mark Senteza >> >>> >> <[email protected]> >> >>> >> wrote: >> >>> >> > Kingsley, >> >>> >> > >> >>> >> > I did have the default-group-policy defined under the >> tunnel-group >> >>> >> > configuration. The config >> >>> >> > >> >>> >> > group-policy EZVPN external server-group RADIUS password cisco >> >>> >> > >> >>> >> > tunnel-group EZVPN type remote-access >> >>> >> > tunnel-group EZVPN general-attributes >> >>> >> > default-group-policy EZVPN >> >>> >> > >> >>> >> > >> >>> >> > On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles >> >>> >> > <[email protected]> wrote: >> >>> >> >> >> >>> >> >> When you don't have the "default-group-policy" configured under >> the >> >>> >> >> tunnel >> >>> >> >> general sub-mode, then ASA will not know which group policy to >> >>> >> >> apply. >> >>> >> >> In >> >>> >> >> that case, you should add Radius AV 25 to the Xauth user account >> on >> >>> >> >> ACS >> >>> >> >> and >> >>> >> >> that should be the external group policy name that you have >> >>> >> >> configured >> >>> >> >> on >> >>> >> >> the ASA. >> >>> >> >> >> >>> >> >> >> >>> >> >> With regards >> >>> >> >> Kings >> >>> >> >> >> >>> >> >> On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza >> >>> >> >> <[email protected]> >> >>> >> >> wrote: >> >>> >> >>> >> >>> >> >>> Hello all, >> >>> >> >>> >> >>> >> >>> I have my ASA setup as an EZVPN server, with an externally >> >>> >> >>> configured >> >>> >> >>> group-policy on the RADIUS server, like so: >> >>> >> >>> >> >>> >> >>> group-policy EZVPN external server-group RADIUS >> >>> >> >>> password >> >>> >> >>> cisco >> >>> >> >>> >> >>> >> >>> My group setup has the following: >> >>> >> >>> >> >>> >> >>> Group renamed to "EZVPN" >> >>> >> >>> >> >>> >> >>> Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes >> >>> >> >>> [3076\011] Tunneling-Protocol >> >>> >> >>> = >> >>> >> >>> WebVPN & IPSec >> >>> >> >>> [3076\072] IPSec-Split-Tunnel-List >> >>> >> >>> = >> >>> >> >>> SPLIT-TUNNEL >> <- >> >>> >> >>> SPLIT-TUNNEL ACL configured on the ASA >> >>> >> >>> [3076\055] IPSec-Split-Tunneling-Policy >> = >> >>> >> >>> Only >> >>> >> >>> tunnel networks in the list >> >>> >> >>> [3076\217] >> >>> >> >>> Address-Pools = >> >>> >> >>> EZVPN >> >>> >> >>> <- >> >>> >> >>> EZVPN address pool configured on the ASA >> >>> >> >>> >> >>> >> >>> I have a user setup (for pulling down Radius Attributes) as >> >>> >> >>> follows: >> >>> >> >>> User Name: EZVPN (same name as the Group) >> >>> >> >>> Password: cisco >> >>> >> >>> >> >>> >> >>> And finally my XAUTH User Setup >> >>> >> >>> User Name: ezvpnuser >> >>> >> >>> Password: cisco >> >>> >> >>> >> >>> >> >>> setup config for test 1 - under Cisco IOS/PIX >> 6.x >> >>> >> >>> RADIUS >> >>> >> >>> Attributes >> >>> >> >>> >> >>> >> >>> [009\001] >> >>> >> >>> cisco-av-pair >> >>> >> >>> >> >>> >> >>> ipsec:user-vpn-group=EZVPN >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> setup config for test 2 - under IETF RADIUS >> >>> >> >>> Attributes >> >>> >> >>> >> >>> >> >>> [025] >> >>> >> >>> Class >> >>> >> >>> >> >>> >> >>> OU=EZVPN; >> >>> >> >>> >> >>> >> >>> My question is related to the setup config I mentioned in the >> last >> >>> >> >>> section for test 1 and test 2. When I use either config for the >> >>> >> >>> XAUTH >> >>> >> >>> user I >> >>> >> >>> am still able to successfully establish a VPN connection to the >> >>> >> >>> ASA >> >>> >> >>> EZVPN >> >>> >> >>> server. The user is assigned the attributes as defined in the >> >>> >> >>> group >> >>> >> >>> setup >> >>> >> >>> and encrypts traffic only to the split-tunnel networks. >> >>> >> >>> >> >>> >> >>> Why and when would I have to use the "[025] Class" config under >> >>> >> >>> the >> >>> >> >>> IETF >> >>> >> >>> RADIUS Attributes for the user ? >> >>> >> >>> >> >>> >> >>> Mark >> >>> >> >>> >> >>> >> >>> _______________________________________________ >> >>> >> >>> For more information regarding industry leading CCIE Lab >> training, >> >>> >> >>> please >> >>> >> >>> visit www.ipexpert.com >> >>> >> >>> >> >>> >> >>> Are you a CCNP or CCIE and looking for a job? Check out >> >>> >> >>> www.PlatinumPlacement.com >> >>> >> >> >> >>> >> > >> >>> >> > >> >>> >> > _______________________________________________ >> >>> >> > For more information regarding industry leading CCIE Lab >> training, >> >>> >> > please >> >>> >> > visit www.ipexpert.com >> >>> >> > >> >>> >> > Are you a CCNP or CCIE and looking for a job? Check out >> >>> >> > www.PlatinumPlacement.com >> >>> >> > >> >>> > >> >>> > >> >> >> >> >> >> _______________________________________________ >> >> For more information regarding industry leading CCIE Lab training, >> please >> >> visit www.ipexpert.com >> >> >> >> Are you a CCNP or CCIE and looking for a job? Check out >> >> www.PlatinumPlacement.com >> > >> > >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
