[RADIATOR] Cisco ASA group-lock feature by using radiator
Zwanziger, Harald
Harald.Zwanziger at t-systems-sfr.com
Fri Mar 13 10:42:53 CST 2009
Hi Ian,
thanks for your help. I have seen this hint in the ASA documentations but it
is the same behaviour.
Here are a information out of the ASA log:
Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-7-734003: DAP: User yy/ xxx,
Addr 80.4.187.42: Session Attribute aaa.radius["25"]["1"] = VPDN Group yy
Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-7-734003: DAP: User yy / xxx,
Addr 80.4.187.42: Session Attribute aaa.cisco.username = yy / xxx
Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-7-734003: DAP: User yy / xxx,
Addr 80.4.187.42: Session Attribute aaa.cisco.tunnelgroup = VPDN Group yy
Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-6-734001: DAP: User yy / xxx,
Addr 80.4.187.42, Connection IPSec: The following DAP records were selected
for this connection: DfltAccessPolicy
Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-3-713060: Group = VPDN Group
yy, Username = yy / xxx, IP = 80.4.187.42, Tunnel Rejected: User (yy / xxx)
not member of group (VPDN Group yy), group-lock check failed.
I think, it is essential to find the correct Radius Attribute.
Kind regards
> -----Ursprüngliche Nachricht-----
> Von: Ian Henderson [mailto:ianh at chime.net.au]
> Gesendet: Freitag, 13. März 2009 01:12
> An: Zwanziger, Harald; radiator at open.com.au
> Betreff: RE: Cisco ASA group-lock feature by using radiator
>
> Zwanziger, Harald wrote on 2009-03-12:
>
> > AddToReply Class = "testing"
>
> You need to add 'OU=' to the start and ';' to the end of the Class AVP.
So:
>
> AddToReply Class = "OU=testing;"
>
> Its an ASA thing.
>
> Rgds,
>
>
>
> - I.
>
> --
> Ian Henderson, CCIE #14721
> Senior Network Engineer, iiNet Limited
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090313/c50f2707/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5588 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090313/c50f2707/attachment.bin>
More information about the radiator
mailing list