Cisco ASA VPN Group Policy matching...

csc...@gmail.com

unread,

Oct 19, 2015, 5:38:24 PM10/19/15

to RCDevs Security Solutions - Technical

I am currently using LDAP authentication for VPN access and I want to switch to 2-factor auth to improve security. I have setup webadm services and RADIUS is working for authentication, but I cannot figure out how to pass the user LDAP group membership to match for the VPN group policy. According to Cisco the information is supposed to be sent via the IETF RADIUS Attribute 25 (Class).

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/98608-radius-assign-group-policy.html

Looking over the documentation, I cannot see how to do something like this. If there is another way, I do not see documentation from you guys about another way to do it. I need the ASA to choose the group policy based on the user.

Thanks,

Jason

Administrators

unread,

Oct 20, 2015, 5:56:37 AM10/20/15

to RCDevs Security Solutions - Technical

You can edit a user and then edit its Application Settings for OpenOTP.

Set "Class=whatever" in the Reply Data setting. You can do this on a group too (if it is activated).

Then look at RadiusBridge documentation and search for the data_is_vps configuration.

This is what you need. It will convert the reply data value pairs into RADIUS attribute.

csc...@gmail.com

unread,

Oct 20, 2015, 12:03:09 PM10/20/15

to RCDevs Security Solutions - Technical

Thanks that fixed my issue.

Jean-François Hivert

unread,

Dec 31, 2015, 8:59:15 AM12/31/15

to RCDevs Security Solutions - Technical

Hi,

I have the same example, I would like reply radiusClass to my Cisco ASA for select Group Policy.

On one User I added radiusClass attribute, this is ok. Before I add freeradius schema to my OpenLdap.

I woul like configure OpenOTP for reply this attribute, is it possible?

I know OpenOTP settings for change reply data, I use this but I prefer reply LDAP attr for this case.

So the question, how to configure OpenOTP or Webadm for reply LDAP attribute?

Thank you.

Regards,

Spyridon Gouliarmis (RCDevs)

unread,

Jan 11, 2016, 5:20:31 AM1/11/16

to RCDevs Security Solutions - Technical

Right now, this isn't supported. Might be in the future, but we're taking on other projects, so no promises.

Jean-François Hivert

unread,

Jan 29, 2016, 7:14:55 AM1/29/16

to RCDevs Security Solutions - Technical

Hi,

I found a solution without any dev.

FreeRadius-LDAP must be installed before.

From FreeRadius configuration, in Authorization section add LDAP.

/!\ In Authentication section we have only OpenOTP, no LDAP support.

For LDAP module, configure LDAP server(s) and read user account.

After these step, LDAP attributes has returned in radius response.

You must read LDAP attr map in FreeRadius folder too.

Regards,

Reply all

Reply to author

Forward