[c-nsp] WebVPN via RADIUS - how to identify by group?
Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
You could pass the group as a realm to the RADIUS server by having the users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them and return a Class=OU=GROUP; attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems --- Email: [EMAIL PROTECTED] PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
Problem with the group selection method is via a debug radius I don't see it send any attribute about the group to RADIUS(I did try this way at first) and therefore I can't get RADIUS to match on a group as well as user/pass, the [EMAIL PROTECTED] might be an option, have you tried this before by sending back a group attribute to the ASA from RADIUS and it actually acknowledging it and putting the WEBVPN user into that group?. Cheers Ben -Original Message- From: LaPorte, David [mailto:[EMAIL PROTECTED] Sent: Friday, 5 September 2008 9:54 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group? You could pass the group as a realm to the RADIUS server by having the users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them and return a Class=OU=GROUP; attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems --- Email: [EMAIL PROTECTED] PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
We're doing exactly that, although with Radiator vs IAS. Dave Ben Steele wrote: Problem with the group selection method is via a debug radius I don't see it send any attribute about the group to RADIUS(I did try this way at first) and therefore I can't get RADIUS to match on a group as well as user/pass, the [EMAIL PROTECTED] might be an option, have you tried this before by sending back a group attribute to the ASA from RADIUS and it actually acknowledging it and putting the WEBVPN user into that group?. Cheers Ben -Original Message- From: LaPorte, David [mailto:[EMAIL PROTECTED] Sent: Friday, 5 September 2008 9:54 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group? You could pass the group as a realm to the RADIUS server by having the users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them and return a Class=OU=GROUP; attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
Ben Steele wrote: Problem with the group selection method is via a debug radius I don't see it send any attribute about the group to RADIUS(I did try this way at first) and therefore I can't get RADIUS to match on a group as well as user/pass, the [EMAIL PROTECTED] might be an option, have you tried this before by sending back a group attribute to the ASA from RADIUS and it actually acknowledging it and putting the WEBVPN user into that group?. Ben, If you have two group policies setup on your ASA, GroupPolicy1 and GroupPolicy2, you can set the RADIUS Class attribute to OU=GroupPolicy1 or OU=GroupPolicy2. In IAS setup two policies, matching AD Security Group Group1 and Group2 respectively. Members of Group1 are assigned OU=GroupPolicy1, and Group2 gets OU=GroupPolicy2. The text after OU= then matches the name of the ASA's group policy exactly and will assign that Group Policy to the VPN user's session. If you now also have two Tunnel Groups, TunnelGroup1 and TunnelGroup2 on the ASA, you can use the group-lock xxx command to lock TunnelGroup1 to GroupPolicy1 and TunnelGroup2 to GroupPolicy2. If a user who is a member of Group1 tries to use the TunnelGroup2 VPN profile, they will get rejected when the ASA compares the OU=GroupPolicy1 (assigned to user by IAS) with the GroupPolicy2 value expected by TunnelGroup2. Cheers Stuart Environmental Notice: Please consider the environment before printing this email.brbr Confidentiality Notice: The content of this message and any attachments may be privileged, in confidence or sensitive. Any unauthorised use is expressly prohibited. If you have received this email in error please notify the sender, disregard and then delete the email. This email may have been corrupted or interfered with. Coffey International Limited cannot guarantee that the message you receive is the same as the message we sent. At Coffey International Limited's discretion we may send a paper copy for confirmation. In the event of any discrepancy between paper and electronic versions the paper version is to take precedence. No warranty is made that this email and its contents are free from computer viruses or other defects. brbrCILDISCL0005 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/