[RADIATOR] Cisco ASA group-lock feature by using radiator

Zwanziger, Harald Harald.Zwanziger at t-systems-sfr.com
Thu Mar 12 05:09:59 CST 2009 

Hi all,

 

we use the radiator in combination with Cisco VPN Concentrators several
years. In our configuration we need the group-lock feature to lock users in
special VPN Groups. The configuration look likes this:

 

        AuthByPolicy ContinueWhileIgnore

        <AuthBy LDAP2>

                Host hostname

                BaseDN dc=xxx,dc=xxx,dc=xx

                Scope sub

                ServerChecksPassword

                UsernameAttr sAMAccountname

                SearchFilter
(&(&(%0=%1)(msNPAllowDialin=TRUE))(|(department=test1*)(department= test
2*)(department= test 3*)(department= test 4*)))

                AuthAttrDef extensionAttribute1,Framed-IP-Address, reply

                AddToReply Class = "testing"

                Timeout 10

                Version 3

                AuthDN cn=xxx,ou=xxx,ou=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx

                AuthPassword Password

 

With Concentrators it works fine!

 

If I use the same replay attribute “AddToReply” whit a Cisco ASA it seams
that the ASA does not understood that attribute and the authentication
failed.

 

Is there anyone with a nice idea?

 

Kind Regards

Harald

 

 

Harald Zwanziger 

 

T-Systems Solution for Research GmbH

Delivery Netze

Harald Zwanziger

Netzwerkadministrator

Linder Höhe, 51147 Köln

Telefon: +49 (2203) 601-2038

Telefax: +49 (2203) 601-2104

E-Mail: mailto:harald.zwanziger at t-systems.com

Internet: http://www.t-systems-sfr.com

 

T-Systems Solutions for Research GmbH

Aufsichtsrat: Dr. Hagen Hultzsch (Vorsitzender)

Geschäftsführung: Jürgen Aumayer (Vorsitzender), Hans Gersing, Dr.
Claus-Axel Müller

 

Handelsregister: Amtsgericht München, HRB 12 55 01, Sitz der Gesellschaft:

Weßling

USt.-IdNr.: DE 193456493

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090312/5ab61627/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5588 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090312/5ab61627/attachment-0001.bin>

More information about the radiator mailing list