Why do you want to combine them? OU seems to do the subset work of user-vpn-group.
With regards Kings On Sat, Sep 17, 2011 at 1:27 AM, Mark Senteza <[email protected]>wrote: > Can you combine them ? I've tried it and it doesnt fail to establish a VPN > connection or get assigned to the right group. > > On Fri, Sep 16, 2011 at 3:57 AM, Kingsley Charles < > [email protected]> wrote: > >> So "OU" is not required when we use "user-vpn-group" and it works, But I >> have not seen any docs. >> >> In CCIE lab, I think it's safer to use "OU" >> >> >> With regards >> Kings >> >> >> On Fri, Sep 16, 2011 at 6:37 AM, Jim Terry <[email protected]> wrote: >> >>> Hi Mark, >>> >>> OU- always puts a users in that group. >>> user-vpn-group= if a user tries to login under the wrong group the >>> connection is terminated. If he logs with the right group- he is >>> allowed. >>> >>> JT >>> >>> >>> >>> On Wed, Sep 14, 2011 at 11:29 PM, Kingsley Charles >>> <[email protected]> wrote: >>> > I think, it's better to lab and see what's happening. >>> > >>> > Snippet from >>> > >>> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1516834 >>> > >>> > User-VPN-Group >>> > >>> > The User-VPN-Group attribute is a replacement for the Group-Lock >>> attribute. >>> > It allows support for both preshared key and RSA signature >>> authentication >>> > mechanisms such as certificates. >>> > >>> > If you need to check that the group a user is attempting to connect to >>> is >>> > indeed the group the user belongs to, use the User-VPN-Group attribute. >>> The >>> > administrator sets this attribute to a string, which is the group that >>> the >>> > user belongs to. The group the user belongs to is matched against the >>> VPN >>> > group as defined by group name (ID_KEY_ID) for preshared keys or by the >>> OU >>> > field of a certificate. If the groups do not match, the client >>> connection is >>> > terminated. >>> > >>> > This feature works only with AAA RADIUS. Local Xauth authentication >>> must >>> > still use the Group-Lock attribute. >>> > >>> > BTW, why are you using IOS Radius attribute for ASA authorization? >>> > >>> > With regards >>> > Kings >>> > >>> > On Thu, Sep 15, 2011 at 8:00 AM, Mark Senteza <[email protected] >>> > >>> > wrote: >>> >> >>> >> OK. >>> >> >>> >> So it really does do the same thing as the "ipsec:user-vpn-group" >>> commands >>> >> under the "Cisco IOS/PIX Radius Attributes" >>> >> >>> >> To me it seemed to do just that, but thought there might be a >>> difference. >>> >> >>> >> On Wed, Sep 14, 2011 at 6:40 PM, Jim Terry <[email protected]> >>> wrote: >>> >>> >>> >>> It directly adds the user to the ASA group that the OU=xx; points to. >>> >>> >>> >>> JT >>> >>> >>> >>> >>> >>> On Wed, Sep 14, 2011 at 7:03 PM, Mark Senteza < >>> [email protected]> >>> >>> wrote: >>> >>> > Jim, >>> >>> > >>> >>> > so you're saying that the [025] Class setting overrides the >>> >>> > "ipsec:user-vpn-group" setting or directly adding the user to the >>> >>> > group ? >>> >>> > Is that right >>> >>> > >>> >>> > Mark >>> >>> > >>> >>> > On Wed, Sep 14, 2011 at 5:58 PM, Jim Terry <[email protected]> >>> wrote: >>> >>> >> >>> >>> >> Hi Mark, >>> >>> >> >>> >>> >> The OU on the ACS will override what is on the ASA- even if it is >>> the >>> >>> >> same. A practical application is you put all vpn users into one >>> >>> >> tunnel group/group policy with no access. Then match them by OU >>> and >>> >>> >> put them in a diff group policy on the ASA based on HR/Execs etc. >>> >>> >> >>> >>> >> JT >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> On Wed, Sep 14, 2011 at 4:12 PM, Mark Senteza >>> >>> >> <[email protected]> >>> >>> >> wrote: >>> >>> >> > Kingsley, >>> >>> >> > >>> >>> >> > I did have the default-group-policy defined under the >>> tunnel-group >>> >>> >> > configuration. The config >>> >>> >> > >>> >>> >> > group-policy EZVPN external server-group RADIUS password cisco >>> >>> >> > >>> >>> >> > tunnel-group EZVPN type remote-access >>> >>> >> > tunnel-group EZVPN general-attributes >>> >>> >> > default-group-policy EZVPN >>> >>> >> > >>> >>> >> > >>> >>> >> > On Tue, Sep 13, 2011 at 11:08 PM, Kingsley Charles >>> >>> >> > <[email protected]> wrote: >>> >>> >> >> >>> >>> >> >> When you don't have the "default-group-policy" configured under >>> the >>> >>> >> >> tunnel >>> >>> >> >> general sub-mode, then ASA will not know which group policy to >>> >>> >> >> apply. >>> >>> >> >> In >>> >>> >> >> that case, you should add Radius AV 25 to the Xauth user >>> account on >>> >>> >> >> ACS >>> >>> >> >> and >>> >>> >> >> that should be the external group policy name that you have >>> >>> >> >> configured >>> >>> >> >> on >>> >>> >> >> the ASA. >>> >>> >> >> >>> >>> >> >> >>> >>> >> >> With regards >>> >>> >> >> Kings >>> >>> >> >> >>> >>> >> >> On Wed, Sep 14, 2011 at 7:20 AM, Mark Senteza >>> >>> >> >> <[email protected]> >>> >>> >> >> wrote: >>> >>> >> >>> >>> >>> >> >>> Hello all, >>> >>> >> >>> >>> >>> >> >>> I have my ASA setup as an EZVPN server, with an externally >>> >>> >> >>> configured >>> >>> >> >>> group-policy on the RADIUS server, like so: >>> >>> >> >>> >>> >>> >> >>> group-policy EZVPN external server-group >>> RADIUS >>> >>> >> >>> password >>> >>> >> >>> cisco >>> >>> >> >>> >>> >>> >> >>> My group setup has the following: >>> >>> >> >>> >>> >>> >> >>> Group renamed to "EZVPN" >>> >>> >> >>> >>> >>> >> >>> Cisco VPN 3000/ASA/PIX v7.x+ RADIUS Attributes >>> >>> >> >>> [3076\011] Tunneling-Protocol >>> >>> >> >>> = >>> >>> >> >>> WebVPN & IPSec >>> >>> >> >>> [3076\072] IPSec-Split-Tunnel-List >>> >>> >> >>> = >>> >>> >> >>> >>> SPLIT-TUNNEL <- >>> >>> >> >>> SPLIT-TUNNEL ACL configured on the ASA >>> >>> >> >>> [3076\055] IPSec-Split-Tunneling-Policy >>> = >>> >>> >> >>> Only >>> >>> >> >>> tunnel networks in the list >>> >>> >> >>> [3076\217] >>> >>> >> >>> Address-Pools = >>> >>> >> >>> EZVPN >>> >>> >> >>> <- >>> >>> >> >>> EZVPN address pool configured on the ASA >>> >>> >> >>> >>> >>> >> >>> I have a user setup (for pulling down Radius Attributes) as >>> >>> >> >>> follows: >>> >>> >> >>> User Name: EZVPN (same name as the Group) >>> >>> >> >>> Password: cisco >>> >>> >> >>> >>> >>> >> >>> And finally my XAUTH User Setup >>> >>> >> >>> User Name: ezvpnuser >>> >>> >> >>> Password: cisco >>> >>> >> >>> >>> >>> >> >>> setup config for test 1 - under Cisco IOS/PIX >>> 6.x >>> >>> >> >>> RADIUS >>> >>> >> >>> Attributes >>> >>> >> >>> >>> >>> >> >>> [009\001] >>> >>> >> >>> cisco-av-pair >>> >>> >> >>> >>> >>> >> >>> ipsec:user-vpn-group=EZVPN >>> >>> >> >>> >>> >>> >> >>> >>> >>> >> >>> setup config for test 2 - under IETF RADIUS >>> >>> >> >>> Attributes >>> >>> >> >>> >>> >>> >> >>> [025] >>> >>> >> >>> Class >>> >>> >> >>> >>> >>> >> >>> OU=EZVPN; >>> >>> >> >>> >>> >>> >> >>> My question is related to the setup config I mentioned in the >>> last >>> >>> >> >>> section for test 1 and test 2. When I use either config for >>> the >>> >>> >> >>> XAUTH >>> >>> >> >>> user I >>> >>> >> >>> am still able to successfully establish a VPN connection to >>> the >>> >>> >> >>> ASA >>> >>> >> >>> EZVPN >>> >>> >> >>> server. The user is assigned the attributes as defined in the >>> >>> >> >>> group >>> >>> >> >>> setup >>> >>> >> >>> and encrypts traffic only to the split-tunnel networks. >>> >>> >> >>> >>> >>> >> >>> Why and when would I have to use the "[025] Class" config >>> under >>> >>> >> >>> the >>> >>> >> >>> IETF >>> >>> >> >>> RADIUS Attributes for the user ? >>> >>> >> >>> >>> >>> >> >>> Mark >>> >>> >> >>> >>> >>> >> >>> _______________________________________________ >>> >>> >> >>> For more information regarding industry leading CCIE Lab >>> training, >>> >>> >> >>> please >>> >>> >> >>> visit www.ipexpert.com >>> >>> >> >>> >>> >>> >> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> >>> >> >>> www.PlatinumPlacement.com >>> >>> >> >> >>> >>> >> > >>> >>> >> > >>> >>> >> > _______________________________________________ >>> >>> >> > For more information regarding industry leading CCIE Lab >>> training, >>> >>> >> > please >>> >>> >> > visit www.ipexpert.com >>> >>> >> > >>> >>> >> > Are you a CCNP or CCIE and looking for a job? Check out >>> >>> >> > www.PlatinumPlacement.com >>> >>> >> > >>> >>> > >>> >>> > >>> >> >>> >> >>> >> _______________________________________________ >>> >> For more information regarding industry leading CCIE Lab training, >>> please >>> >> visit www.ipexpert.com >>> >> >>> >> Are you a CCNP or CCIE and looking for a job? Check out >>> >> www.PlatinumPlacement.com >>> > >>> > >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
