ASA: group lock with NT domain authentication.
Hello!
We have an ASA5510. I put two group for remote VPN, and both use NT domain authentication. How can I define tunnel-group lock for users in both group.
How can I lock the user to the group. Is there a configuration in Active Directory to set the Group of users.
I don't know what the solution is, I found nothing.
Please help, thanks!
Gabor
The field 'Department' as I spoke with would be an attribute assigned to the user account in Active Directory.
Tags: Cisco Security
Similar Questions
-
Hi team
Hope you do well. !!!
currently I am doing a project which consists in CISCO ASA-5545-X, RADIUS (domain controller) server for authentication. Here, I need to configure Anyconnect VPN and host checker in cisco asa.
1 users will connect: user advanced browser on SSL VPN pop past username and password.
2. (cisco ASA) authentication: VPN sends credentials to the RADIUS server.
3 RADIUS server: authentication: receipt and SSL VPN (ASA) group.
4 connectivity creation: If employee: PC so NAW verified compliance, no PC check Assign user to the appropriate role and give IP.
This is my requirement, so someone please guide me how to set up step by step.
1. how to set up the Radius Server?
2. how to configure CISCO ASA?
Thanks in advance.
Hey Chick,
Please consult the following page of installation as well as ASA Radius server. The ASA end there is frankly nothing much difference by doing this.
http://www.4salesbyself.com/1configuring-RADIUS-authentication-for-webvp...
Hope this helps
Knockaert
-
Group-lock for users of vpn with acs
Hello
Is it possible to controll what VPN profile, a user is allowed to use by Cisco ACS or the router?
2811 router IOS 12.4 worm, ACS 4.1 using
I just want to be sure that the VPN allows the user only the Client Profile assigned to them and no other profile groups.
Example:
User123abc gets their hands on a profile of co-wokers.
HR_User_Profile.pcf
SALES_User_Profile.pcf
User123abc belongs to the Department of human resources and should be able to authenticate with HR_User_Profile. If User123abc is trying to authenticate by using the access SALES_User_Profile should be rejected.
Any documentation explaining how to set up?
The ASA will be your option. This should be controlled by the values of tunnel-group and class-group policy, group-lock, ACS and ASA
-
Hi, please advise, I can't open Group on win Server 2008 policy management, it is said
"To manage Group Policy, you must log on to the computer with a domain user account.Hi Cucu KurniaPutra,
Thanks for asking this question to Microsoft Community!
The problem occurs in Windows Server 2008 Network, please post your request on the Microsoft TechNet forums to get help.
Here is the link:http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer
It will be useful. For any other corresponding Windows help, do not hesitate to contact us and we will be happy to help you.
Kind regards!
-
New for mapping SSL VPN ACS ASA - ASA groups
Greetings,
I am new to ASA, so any help is greatly appreciated.
I just installed and installed an ASA 5520. I installed an SSL VPN. What I'm trying to achieve is to configure profiles of different groups and different users can access various resources when they access the VPN.
Current config-
ASA 5520 v8.3
ACS 4.0
Field of Windwos 2003
I have different installation profiles in the ASA. (i.e. business Dept.) When I choose in the drop down menu, it allows me to open a session and displays the options I've chosen for this group. The problem is that I can connect in this group with any account. GBA, all windows domain users are in the default group. I guess the default group is being processed and which has hosted and user logon.
Can anyone provide a good article or tips on how to configure the ASA and the ACS for several groups of users. We have several departments that will have to get the parameters when they connect. The ACS groups are mapped to the Windows groups that correspond to each Department
Any help is greatly appreciated.
Thank you
Tim
Hello
I think that you need to activate locking group.
In order to configure Group locking, send group policy name in the attribute class 25 on the Authentication Dial - In User Service (RADIUS Remote) server and choose the group to lock the user in policy. For example, to lock the user 123 of Cisco in the RemoteGroup group, define the class of attributes 25 Internet Engineering Task Force (IETF) UO = RemotePolicy; for this user on the RADIUS server.
-
IOS anyconnect vpn group lock and user restrictions
Dear Experts,
I now have two questions about cisco IOS vpn on ISR G2:
1 is it possible to lock user group in IOS anyconnect VPN we can do in ASA? If so, can someone share the steps for her?
2 - a customer wishes to restrict the anyconnect user login as it might turn the connection to the user on request. That is to say whenever the user wants to connect via vpn to ask the administrator to allow connection. can we do without deleting the username and create again?
the other may be on ASA or IOS.
Please see this guide:
http://www.Cisco.com/c/en/us/support/docs/security/iOS-easy-VPN/117634-c...
As he points out, "for the Cisco IOS group-lock and the ipsec: use vpn-group, it only works for IPSec (the easy VPN server)." In order to group-lock specific users in specific contexts of WebVPN (and strategies Group attached), authentication domains should be used. »
If you lock a user to a policy that authenticates, but does provide real access permissions (say an ACL that blocks all traffic to the private network) then you have essentially made their ability to non-functional connection.
If you use an external AAA server (for example, RADIUS or LDAP), then you can move in and out of the group which is authorized without disable VPN access / delete their account altogether.
-
Group Lock VPN 3000 binding users to their group
I only use a 3015 VPN with VPN Client 3.5.1 using IPSEC. Cisco ACS 3.0 is the radius, all users of the authentication server. If I use a group on the client, I can log in using a different username to groups.
It is interesting then you get the other privileges of groups for this user as you would expect.
If I select group Lock on core group settings is not any effect.
I want to restrict the access of clients to the users group in its own configured.
I use an external authentication to the Radius ACS server for groups.
Thanks for any help you can give.
Mark
Hi Mark,
You can follow the example of configuration to:
http://www.Cisco.com/warp/public/471/altigagroup.html
Thank you
Jean Marc
-
Hello
I enabled the functionality of group-lock on a group of C2L VPN but the ASA does not add the tunnel-group-name value in the RADIUS packet sent to the server for authorization.
In the past, I used the function of locking-group several times without problem. This is the first time, it does not work and I wonder if it can depends on the old version of asa that I use (8.6.1(2)).
Here the conf and the asa debug all the RADIUS:
Configuration:
attributes of Group Policy Network_Users
value x.x.x.x DNS server
Ikev1 VPN-tunnel-Protocol
value of group-lock Network_Users
VLAN 24Debug RADIUS all the:
RADIUS packet decode (authentication request)
--------------------------------------
Data of raw packets (length = 156)...
01 cb 00 9 c 97 84 6 d 33 f0 69 ee 8f 1 c 25 a2 fa | ......m.3.i...%.
AB 08 a1 c6 0 01 a 78 30 31 35 35 36 32 33 02 12 | ... xxxxxxxx...
14 80 52 4 a 72 0e e5 a1 69 d6 ee d3 d3 b9 67 0a | .. RJr... i...g
05 06 8 b 20 00 06 06 00 00 00 02 07 06 00 00 c0 | ... ............
00 01 0e 1e 2e 2e 35 39 37 31 35 39 2nd 32 32 30. ... x.x.x.x
0f 1F 39 2e 2e 34 33 37 32 34 38 2 32 30 32 3d | .. 94.37.248.202 =.
06 00 00 00 05 42 39 2e 0f 34 33 37 2nd 32 34 38 | ..... B.94.37.248
2nd 32 30 32 04 06 16 05 21 1 a 22 00 00 00 09 ac | . 202...! » ....
1 01 c 69 70 3A 6f 73 75 72 63 65 69 70 39 3d 2d | .. IP:Source - ip = 9
2E 2e 34 33 37 32 34 38 2 32 30 32 | 4.37.248.202Packet analyzed data...
RADIUS: Code = 1 (0x01)
RADIUS: Identifier = 203 (0xCB)
RADIUS: Length = 156 (0x009C)
RADIUS: Vector: 97846DA233F069EE8F1C25FAAB08A1C6
RADIUS: Type = 1 (0x01) - user name
RADIUS: Length = 10 (0x0A)
RADIUS: Value (String) =
78 30 31 35 35 36 32 33 | xxxxxxxx
RADIUS: Type = 2 (0x02) username-password
RADIUS: Length = 18 (0x12)
RADIUS: Value (String) =
14 80 52 4 a 72 0e e5 a1 69 d6 ee d3 d3 b9 67 0a | .. RJr... I have... g
RADIUS: Type = 5 (0x05) NAS-Port
RADIUS: Length = 6 (0x06)
RADIUS: Value (Hex) = 0x8B20C000
RADIUS: Type = 6 Type of Service (0x06)
RADIUS: Length = 6 (0x06)
RADIUS: Value (Hex) = 0x2
RADIUS: Type = 7 (0x07) Framed-Protocol
RADIUS: Length = 6 (0x06)
RADIUS: Value (Hex) = 0x1
RADIUS: Type = 30 (0x1E) Called-Station-Id
RADIUS: Length = 14 (0x0E)
RADIUS: Value (String) =
2nd 2nd 35 39 37 31 35 39 2nd 32 32 30. x.x.x.x
RADIUS: Type = 31 (0x1F) Calling-Station-Id
RADIUS: Length = 15 (0x0F)
RADIUS: Value (String) =
39 2e 2e 34 33 37 32 34 38 2 32 30 32 | 94.37.248.202
RADIUS: Type = 61 (0x3D) NAS-Port-Type
RADIUS: Length = 6 (0x06)
RADIUS: Value (Hex) = 0x5
RADIUS: Type = 66 Tunnel-Client-Endpoint (0x42)
RADIUS: Length = 15 (0x0F)
RADIUS: Value (String) =
39 2e 2e 34 33 37 32 34 38 2 32 30 32 | 94.37.248.202
RADIUS: Type = 4 NAS-IP-Address (0x04)
RADIUS: Length = 6 (0x06)
RADIUS: Value (IP address) = 172.22.5.33 (0xAC160521)
RADIUS: Type = 26 (0x1A) vendor-specific
RADIUS: Length = 34 (0 x 22)
RADIUS: Vendor ID = 9 (0 x 00000009)
RADIUS: Type = 1 (0x01) Cisco-AV-pair
RADIUS: Length = 28 (0x1C)
RADIUS: Value (String) =
69 70 3A 6f 73 75 72 63 65 69 70 39 34 2nd 3d 2d is | IP:Source - ip = 94.
2e 33 37 32 34 38 2 32 30 32 | 37.248.202
Send 172.22.39.1/1812 pkt
RADIUS_SENT:Server response time
Ray mkreq: 0x1a6
alloc_rip 0x00007ffec924aa48
new application 0x1a6--> 204 (0x00007ffec924aa48)
obtained the user 'xxxxxxxx '.
has obtained the password
add_req 0x00007ffec924aa48 session 0x1a6 204 id
RADIUS_DELETE
remove_req 0x00007ffec9249ec0 0x1a5 203 session id
free_rip 0x00007ffec9249ec0
RADIUS_REQUEST
RADIUS.c: rad_mkpkt
rad_mkpkt: ip:source - ip = 94.37.248.202RADIUS packet decode (authentication request)
As mentioned previously, the package does not contain the ID 146 Tunnel-Group-Name typically added when the group-lock has been activated. I'm talking about this:
RADIUS: Type = 26 (0x1A) vendor-specific
RADIUS: Length = 32 (0x20)
RADIUS: Vendor ID = 3076 (0x00000C04)
RADIUS: Type = 146 (0 x 92) - Tunnel-group name
RADIUS: Length = 26 (0x1A)
RADIUS: Value (String) =
54 45 5f 4 c 56 50 4th 5f 49 6e 74 72 61 6 65 74 | Network_Users
RADIUS: Type = 26 (0x1A) vendor-specific
RADIUS: Length = 12 (0x0C)
RADIUS: Vendor ID = 3076 (0x00000C04)
RADIUS: Type = 150 (0 x 96) Client-Type
RADIUS: Length = 6 (0x06)
RADIUS: Value (integer) = 1 (0x0001)Thank you
Maurizio
I wonder if your problem is related to this bug:
Maybe upgrade to 8.6.1(5) or later will solve the problem.
--
Please do not forget to select a correct answer and rate useful posts
-
AD Login with the iPad with a domain Inter (Global Forest)
Hello
I have a problem with the iPad connection on with authentication AD with VCS. We have a forest with multiple domains. We can identify you with the Movi without problems. We can connect you with the Jabber iPad without problem.
But if we create a special group with a Global Group with a special domain, you must connect with the movi user: domain\username, password and registration works very well. But if we try with the iPad as user domain\username and password, the ipad could not save. I have thin the Jabber for ipad have a problem with the string user domain\username and password. Could be that the problem with the software Client Jabber or BUG? If I change my ad as without the domain\\user Aboriginal group, the connection on the iPad works great, but I need for the Global AD the domain\\user.
THX
Please need a Feedback
Hello. Looks like you can be hitting-
CSCub38436
The fix is enter the 9.3 and hoping its release targeting some time in April. I hope this helps.
VR
Patrick
-
Hello
I just set up the VPN for end users in PIX515e with 8 IOS and stuck with ' Tunnel rejected: user (msveden) is not a member of the Group (VPN shared), group-lock has failed the test. " Can someone please help me and tell me how to add the user to my VPN group?
Concerning
Mikael
Maybe you are looking for this.
ASA1 (config) # username msveden attributes
Group-lock value mygroup ASA1(config-username) #.
Thank you
Ajay
-
Anyone know how to solve my problem? I can't import my photos from Iphone to computer. Sign says: Photos in the camera cannot be imported because the IPhone is locked with a password or read. My phone is unlocked. I tried everything, every single idea. Without success! Any other idea?
For example, you specify that the device does not display the lock screen, correct? Do you use Touch IDS? If so, try to put your finger on the device to see if it's what he wants.
See you soon,.
GB
-
6 + put iPhone updated to 10.0.0.2 and now get the error, the pictures on the Filmstrip on "iPhone" cannot be imported because the iPhone is locked with a password or read. You must enter your password on the iPhone to view and import them.
Working solutions proposed so far. Guess I'll have to wait for the correction of a bug to Apple...
iPhoto 11 (9.2.3); OS X 10.6.8
On the alert to "trust this computer" on your iPhone, iPad or iPod touch - Apple Support
LN
-
So I recently had my password wrong too many times and my iPhone 4S locked out telling me "iPhone is disabled; Connect to iTunes'. And so I connected to iTunes and decided to restore my phone. I finished the process of restoration of the configuration of my phone, but ultimately, it was not even let me in the phone! Once AGAIN he said "iPhone is disabled; " Connect " to iTunes '. However, this time, this message appeared just when I turned on my phone with a black background. I didn't scan the screen for the error message is displayed (and there was no time to be shown). When I tried to connect to iTunes again as he asked, now it says "iTunes can not connect to the iPhone because it is locked with a password".
So now, he said "iPhone is disabled; ' Connect to iTunes' on my iPhone 4S and ''iTunes can't connect to the iPhone because it is locked with a password ' on my computer. WHAT should I do?
As described in step 2 of "Erase your device with iTunes" in this article, you will need to use the Recovery Mode.
Recovery mode is described in this article as well. You may try to go into recovery mode more than once to succeed.
-
NEED HELP Please im having a problem to forget my password and when I plug it it says its locked with a password he tried to put the itunes thing but it says enter password I put in what I rember, then said lokced for five minutes help me pls
Without knowing the password for your iPhone, there is no way to unlock it, bring even you to the Genius Bar. If you continue to enter the wrong password, you will be locked out of your iPhone, and your data will be unaccessable.
-
I bought an iPhone 6s online and it is locked with a number passcode.is there anyway I can bypass it and set up my new phone?
No, better return you it for a full refund.
Without the password, you have a brick.
Maybe you are looking for
-
Hello My problem is: I can't log on to an RODC with the user name and password, even with another account, I created before. I always get the message: the logon method, you use is not allowed on this computer. The local administrator does not either
-
I GET AN ERROR CODE 646-HOW CAN I FIX
I TRIED SEVERAL TIMES TO DOWNLOAD UPDATES BUT KEEP ERROR 646
-
Is it possible to save the Office XP for multiple monitors and restore after using the laptop in mobile mode?
-
My ID is automatically registered online do not appear when I go to a Web site.
Recently my online ID is not be saved on my computer at home that is running IE8 (they are always there when I go to the Web sites at my office, which is still on IE6), so I have to get back my ID (and passwords, which is understandable) each time.
-
Emails all gone from Hotmail account
It was a shock to see that all of my emails have disappeared. More over, I was surprised to see Hotmail E-mail welcome as if I am a new user. It is only after a break of a few months that I have consulted my * address email is removed from the privac