[RADIATOR] Distinguishing tunnel-group in Cisco ASA Access-Requests
Andrew Clark
adc at umn.edu
Thu Jun 3 20:34:58 CDT 2010
Hi everyone,
this isn't really a Radiator question, but I'm hoping someone on this list
will have found a better way to do this than I have.
My problem with RADIUS requests from the ASA5550 is distinguishing which
tunnel-group (VPN group) a user wishes to join. There doesn't seem to be
anything in the access-request indicating the tunnel group, so I'm left with
using something at L3 (different IP addresses) or L4 (different UDP ports)
to distinguish these requests. For now, I'm using different UDP ports, with
the ASA configured to send requests to different ports for different
tunnel-groups, and with different Radiator processes per pair of auth/acct
ports, which is pretty rotten.
I'm not looking to change the tunnel-group or anything like that, just
looking to distinguish requests for one tunnel-group from requests for
another and then handle them appropriately. There's a one-to-many
relationship of users to tunnel-groups, so I can't just lock particular
users into one group.
Anyone found a better way to do this that doesn't involve extra ASAs or
extra Radiator processes/servers?
--
Andrew D. Clark
Network Operations Engineer
University of Minnesota, Networking/Telecom Services
2218 University Ave SE
Minneapolis, MN 55414-3029
Phone: 612-626-4880
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100603/0950dcf2/attachment.html
More information about the radiator
mailing list