[RADIATOR] Distinguishing tunnel-group in Cisco ASA Access-Requests
Alexander Hartmaier
alexander.hartmaier at t-systems.at
Mon Jun 7 06:52:49 CDT 2010
Hi Andrew,
if you're trying to lock a user to a specific tunnel group, you can send
the group name in the radius response in the Class radius attribute in
the format 'OU=tunnelgroupname' and the ASA will not allow the user to
connect if he tries to connect with another group.
As the ASA doesn't send the tunnel group name in the radius request
there are no other means but different ip's/ports as you already do.
--
Alexander Hartmaier <alexander.hartmaier at t-systems.at>
T-Systems Austria GesmbH
Am Freitag, den 04.06.2010, 03:34 +0200 schrieb Andrew Clark:
> Hi everyone,
>
> this isn't really a Radiator question, but I'm hoping someone on this
> list will have found a better way to do this than I have.
>
> My problem with RADIUS requests from the ASA5550 is distinguishing
> which tunnel-group (VPN group) a user wishes to join. There doesn't
> seem to be anything in the access-request indicating the tunnel group,
> so I'm left with using something at L3 (different IP addresses) or L4
> (different UDP ports) to distinguish these requests. For now, I'm
> using different UDP ports, with the ASA configured to send requests to
> different ports for different tunnel-groups, and with different
> Radiator processes per pair of auth/acct ports, which is pretty
> rotten.
> I'm not looking to change the tunnel-group or anything like that, just
> looking to distinguish requests for one tunnel-group from requests for
> another and then handle them appropriately. There's a one-to-many
> relationship of users to tunnel-groups, so I can't just lock
> particular users into one group.
>
> Anyone found a better way to do this that doesn't involve extra ASAs
> or extra Radiator processes/servers?
>
> --
> Andrew D. Clark
> Network Operations Engineer
> University of Minnesota, Networking/Telecom Services
> 2218 University Ave SE
> Minneapolis, MN 55414-3029
> Phone: 612-626-4880
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
More information about the radiator
mailing list