Problem with the group selection method is via a debug radius I don't see it send any attribute about the group to RADIUS(I did try this way at first) and therefore I can't get RADIUS to match on a group as well as user/pass, the [EMAIL PROTECTED] might be an option, have you tried this before by sending back a group attribute to the ASA from RADIUS and it actually acknowledging it and putting the WEBVPN user into that group?.
Cheers Ben -----Original Message----- From: LaPorte, David [mailto:[EMAIL PROTECTED] Sent: Friday, 5 September 2008 9:54 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group? You could pass the group as a realm to the RADIUS server by having the users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them and return a Class="OU=GROUP;" attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: > Howdy all, > > > > Anyone know if it's possible to get as ASA to spit out the group name in an > av-pair via radius when authenticating a user? (in this case webvpn). > > > > The issue i'm having is multiple clients on the one ASA authenticating via > IAS/AD and the possibility of overlapping usernames between clients(groups), > I need another identifier from the ASA to auth them against other than > user/pass, ie group would be perfect. > > > > Any ideas? > > > > Cheers > > > > Ben > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems ----------------------------------------------- Email: [EMAIL PROTECTED] PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/