[RADIATOR] Distinguishing tunnel-group in Cisco ASA Access-Requests

Hugh Irvine hugh at open.com.au
Fri Jun 4 04:20:48 CDT 2010


Hello Andrew -

I generally use multiple Radiator instances on different port numbers like you have done.

Unless there is something in the RADIUS requests you can use, different port numbers is probably the best option.

regards

Hugh


On 3 Jun 2010, at 21:34, Andrew Clark wrote:

> Hi everyone,
> 
> this isn't really a Radiator question, but I'm hoping someone on this list will have found a better way to do this than I have.
> 
> My problem with RADIUS requests from the ASA5550 is distinguishing which tunnel-group (VPN group) a user wishes to join.  There doesn't seem to be anything in the access-request indicating the tunnel group, so I'm left with using something at L3 (different IP addresses) or L4 (different UDP ports) to distinguish these requests.  For now, I'm using different UDP ports, with the ASA configured to send requests to different ports for different tunnel-groups, and with different Radiator processes per pair of auth/acct ports, which is pretty rotten.  
> I'm not looking to change the tunnel-group or anything like that, just looking to distinguish requests for one tunnel-group from requests for another and then handle them appropriately.  There's a one-to-many relationship of users to tunnel-groups, so I can't just lock particular users into one group.
> 
> Anyone found a better way to do this that doesn't involve extra ASAs or extra Radiator processes/servers?
> 
> -- 
> Andrew D. Clark
> Network Operations Engineer
> University of Minnesota, Networking/Telecom Services
> 2218 University Ave SE
> Minneapolis, MN 55414-3029
> Phone: 612-626-4880
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list