Configuration Example<\/span><\/strong><\/span><\/span><\/h3>\n Within this example we will use this feature to assign different bookmarks to the user based on which OU group they are in.<\/span> For this example we will use 2 OU groups. They are Sales <\/strong>and Finance.<\/strong> <\/span><\/p>\n In order for the correct group-policy to be assigned based on the OU the OU returned by the Radius server much match the name of the corresponding group-policy. The OU returned must also include a (;) semi colon. Below shows an example :<\/span><\/span><\/span><\/span><\/span><\/p>\n
4f 55 3d 54 65 73 74 55 73 65 72 3b | OU=TestOU;<\/p>\n
<\/span> Radius<\/strong><\/span><\/span><\/span><\/span><\/span><\/h4>\n<\/strong><\/span> Prior to configuring the firewall each user\/group(s) on the Radius server assigned the RADIUS Attribute 25.<\/span><\/span><\/span><\/span><\/p>\n<\/span>Cisco ASA<\/strong><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/h4>\n<\/strong>In essence the ASA configuration is fairly simple. A group-policy is created for each OU (and named accordingly). Along with a single tunnel-group and a AAA server. <\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n<\/span>aaa-server RADServer protocol radius aaa-server RADServer (dmz) host 192.168.1.100 retry-interval 3 timeout 25 key ****** radius-common-pw ******<\/p>\ngroup-policy Sales internal group-policy Sales attributes vpn-tunnel-protocol svc webvpn webvpn url-list value bookmark1 customization value DfltCustomization<\/p>\n
group-policy Finance internal group-policy Finance attributes vpn-tunnel-protocol svc webvpn webvpn url-list value bookmark2 customization value DfltCustomization<\/p>\n
tunnel-group WebVPN type remote-access tunnel-group WebVPN general-attributes address-pool ippool authentication-server-group RADServer tunnel-group WebVPN webvpn-attributes group-alias WEBVPN-EXAMPLE enable<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n<\/span>Debugging<\/strong><\/span><\/h3>\nWhen debugging there are 2 main commands on the ASA. These are :<\/p>\n
debug radius all<\/strong> – shows the response and attributes returned by the RADUIS server.sh vpn-sessiondb webvpn<\/strong> – shows the group-policy and tunnel-group assigned to the user. <\/p>\n<\/span>debug radius all<\/strong><\/span><\/h4>\ncisco-asa# debug radius all<\/p>\n
RADIUS packet decode (response)<\/p>\n
————————————– Raw packet data (length = 34)….. 02 3a 00 22 e6 28 3c 24 8a d4 87 c1 71 16 ce de | .:.”.(<$….q… 74 1d 46 81 19 0e 4f 55 3d 54 65 73 74 55 73 65 | t.F…OU=TestOU; |<\/p>\n
Parsed packet data….. Radius: Code = 2 (0x02) Radius: Identifier = 58 (0x3A) Radius: Length = 34 (0x0022) Radius: Vector: E6283C241AD487C17016CBDE741D4681 Radius: Type = 25 (0x19) Class Radius: Length = 14 (0x0E) Radius: Value (String) = 4f 55 3d 54 65 73 74 55 73 65 72 3b | OU=TestOU; rad_procpkt: ACCEPT RADIUS_ACCESS_ACCEPT: normal termination RADIUS_DELETE remove_req 0xab9dfcec session 0x413e id 58 free_rip 0xab9dfcec radius: send queue empty<\/p>\n
<\/span><\/strong>show vpn-sessiondb webvpn<\/strong><\/span><\/h4>\ncisco-asa# sh vpn-sessiondb webvpn<\/p>\n
Session Type: WebVPN<\/p>\n
Username : Test Index : 2395 Public IP : 88.88.88.88 Protocol : Clientless License : SSL VPN Encryption : RC4 Hashing : SHA1 Bytes Tx : 52548 Bytes Rx : 21453 Group Policy : TestOU Tunnel Group : WebVPN Login Time : 09:27:03 cdt Wed May 2 2012 Duration : 0h:11m:55s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N\/A VLAN : none<\/p>\n
<\/span>Caveats<\/strong><\/span><\/h3>\nThe main caveat with this configuration method is when using the same AAA server for different tunnel-groups. If the same authentication-server-group (RADUIS server) is assigned, when the RADIUS Attribute 25 is returned the user will be assigned to the relevant group-policy based on their OU regardless of which tunnel-group they have arrived on.<\/span><\/span><\/span><\/span><\/p>\nAs you can imagine this can cause a number of complications especially when arriving via an IPSEC tunnel-group only to then be assigned to a WebVPN group policy. The result to the client is a “Reason 433: Reason Not Specified by Peer<\/strong><\/em><\/span>“<\/span><\/span><\/span><\/span><\/p>\nThe work around to this is to assign different users or authentication-server-groups to each tunnel-group.<\/p>\n","protected":false},"excerpt":{"rendered":"
Purpose The purpose of this document is to explain the configuration methods required to assign to a group-policy to a user based on their OU group. Summary The Cisco ASA firewall includes the ability to assign a user to a group policy based on their OU group. This is achieved via the use of the … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"yoast_head":"\nCisco ASA - Group-policy assignment based on OU - Fir3net<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n