[RADIATOR] Cisco ASA group-lock feature by using radiator

Zwanziger, Harald Harald.Zwanziger at t-systems-sfr.com
Tue Mar 17 11:15:24 CST 2009 

Hi all,

the Problem is fixed. The ASA does not support Blanks in the Group Name by
using the group-lock feature.

Thanks a lot for help.

Kind regards
Harald

> -----Ursprüngliche Nachricht-----
> Von: Alexander Hartmaier [mailto:alexander.hartmaier at t-systems.at]
> Gesendet: Montag, 16. März 2009 13:33
> An: Zwanziger, Harald
> Cc: radiator at open.com.au
> Betreff: Re: [RADIATOR] Cisco ASA group-lock feature by using radiator
> 
> Hello colleague!
> 
> We use radiator also with Cisco Concentrators, ASAs and routers.
> 
> As already mentioned you need to pass the Group name in the Class
> attribute with the value 'OU=yourgroupname'.
> For us the trailing ; is not needed.
> 
> --
> Alexander Hartmaier <alexander.hartmaier at t-systems.at>
> T-Systems Austria GesmbH
> 
> 
> Am Freitag, den 13.03.2009, 17:42 +0100 schrieb Zwanziger, Harald:
> > Hi Ian,
> >
> >
> >
> > thanks for your help. I have seen this hint in the ASA documentations
> > but it is the same behaviour.
> >
> >
> >
> > Here are a information out of the ASA log:
> >
> >
> >
> > Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-7-734003: DAP: User yy/
> > xxx, Addr 80.4.187.42: Session Attribute aaa.radius["25"]["1"] = VPDN
> > Group yy
> >
> > Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-7-734003: DAP: User
> > yy / xxx, Addr 80.4.187.42: Session Attribute aaa.cisco.username =
> > yy / xxx
> >
> > Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-7-734003: DAP: User
> > yy / xxx, Addr 80.4.187.42: Session Attribute aaa.cisco.tunnelgroup =
> > VPDN Group yy
> >
> > Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-6-734001: DAP: User
> > yy / xxx, Addr 80.4.187.42, Connection IPSec: The following DAP
> > records were selected for this connection: DfltAccessPolicy
> >
> > Mar 11 11:46:45 xxx Mar 11 2009 11:46:59: %ASA-3-713060: Group = VPDN
> > Group yy, Username = yy / xxx, IP = 80.4.187.42, Tunnel Rejected: User
> > (yy / xxx) not member of group (VPDN Group yy), group-lock check
> > failed.
> >
> >
> >
> > I think, it is essential to find the correct Radius Attribute.
> >
> >
> >
> > Kind regards
> >
> >
> >
> > > -----Ursprüngliche Nachricht-----
> >
> > > Von: Ian Henderson [mailto:ianh at chime.net.au]
> >
> > > Gesendet: Freitag, 13. März 2009 01:12
> >
> > > An: Zwanziger, Harald; radiator at open.com.au
> >
> > > Betreff: RE: Cisco ASA group-lock feature by using radiator
> >
> > >
> >
> > > Zwanziger, Harald wrote on 2009-03-12:
> >
> > >
> >
> > > >                 AddToReply Class = "testing"
> >
> > >
> >
> > > You need to add 'OU=' to the start and ';' to the end of the Class
> > AVP. So:
> >
> > >
> >
> > >         AddToReply Class = "OU=testing;"
> >
> > >
> >
> > > Its an ASA thing.
> >
> > >
> >
> > > Rgds,
> >
> > >
> >
> > >
> >
> > >
> >
> > > - I.
> >
> > >
> >
> > > --
> >
> > > Ian Henderson, CCIE #14721
> >
> > > Senior Network Engineer, iiNet Limited
> >
> >
> >
> >
> 
> 
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
*
> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
*
> Notice: This e-mail contains information that is confidential and may be
> privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
*
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5588 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090317/6eb9cf6c/attachment.bin>

More information about the radiator mailing list