[RADIATOR] Cisco ASA group-lock feature by using radiator

Alexander Hartmaier alexander.hartmaier at t-systems.at
Mon Mar 16 06:32:42 CST 2009


Hello colleague!

We use radiator also with Cisco Concentrators, ASAs and routers.

As already mentioned you need to pass the Group name in the Class
attribute with the value 'OU=yourgroupname'.
For us the trailing ; is not needed.

--
Alexander Hartmaier <alexander.hartmaier at t-systems.at>
T-Systems Austria GesmbH


Am Freitag, den 13.03.2009, 17:42 +0100 schrieb Zwanziger, Harald:
> Hi Ian,
>
>
>
> thanks for your help. I have seen this hint in the ASA documentations
> but it is the same behaviour.
>
>
>
> Here are a information out of the ASA log:
>
>
>
> Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-7-734003: DAP: User yy/
> xxx, Addr 80.4.187.42: Session Attribute aaa.radius["25"]["1"] = VPDN
> Group yy
>
> Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-7-734003: DAP: User
> yy / xxx, Addr 80.4.187.42: Session Attribute aaa.cisco.username =
> yy / xxx
>
> Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-7-734003: DAP: User
> yy / xxx, Addr 80.4.187.42: Session Attribute aaa.cisco.tunnelgroup =
> VPDN Group yy
>
> Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-6-734001: DAP: User
> yy / xxx, Addr 80.4.187.42, Connection IPSec: The following DAP
> records were selected for this connection: DfltAccessPolicy
>
> Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-3-713060: Group = VPDN
> Group yy, Username = yy / xxx, IP = 80.4.187.42, Tunnel Rejected: User
> (yy / xxx) not member of group (VPDN Group yy), group-lock check
> failed.
>
>
>
> I think, it is essential to find the correct Radius Attribute.
>
>
>
> Kind regards
>
>
>
> > -----Ursprüngliche Nachricht-----
>
> > Von: Ian Henderson [mailto:ianh at chime.net.au]
>
> > Gesendet: Freitag, 13. März 2009 01:12
>
> > An: Zwanziger, Harald; radiator at open.com.au
>
> > Betreff: RE: Cisco ASA group-lock feature by using radiator
>
> >
>
> > Zwanziger, Harald wrote on 2009-03-12:
>
> >
>
> > >                 AddToReply Class = "testing"
>
> >
>
> > You need to add 'OU=' to the start and ';' to the end of the Class
> AVP. So:
>
> >
>
> >         AddToReply Class = "OU=testing;"
>
> >
>
> > Its an ASA thing.
>
> >
>
> > Rgds,
>
> >
>
> >
>
> >
>
> > - I.
>
> >
>
> > --
>
> > Ian Henderson, CCIE #14721
>
> > Senior Network Engineer, iiNet Limited
>
>
>
>


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*



More information about the radiator mailing list