ASA to ACS Radius - restrict by group

Similar Messages

• Dynamic User Group Role for ASA 8 ACS 4 External Windows DB

  1. I've successfully got a Win2003 AD user to authenticate to the ASA via an ACS but the default group settings the dynamic user becomes part of don't get transfered to the user. How do I get the user to adopt the group settings?
  2. ASDM recommends nabling authentication for admin console sessions so you don't ssh into a box then have to login as the enable password which isn't logged. When I check the box for this feature I can ssh to the ASA but my password is denied ASA. How do I keep the user credentials all the way to the privilege exec mode?
  3. Back in the day I could configure the ACS shell, privilege 15, custom attributes cisco-av-pair "priv-lvl-15" to get a user to jump directly to privilege exec mode. This doesn't work now. Is there a different way to do this on ACS v 4?
  Thanks in advance,
  Matt

  Try this:
  aaa authentication enable console
  aaa authorization command
  on ACS go to the user or group that the user is in and go to enable options and click on "Max Privilege for any AAA client" and set it to "15". Then go to the "tacacs+" section on click on "Shell(exec)" and click on "Privilege leve" and enter 15. Then go to the "Shell command authorization set" and set the default to permit any commands not listed. This will get the user into privilege mode. In ASA/Pix it requires command authorization and authentication for enable console. On IOS it requires that you use aaa authentication exec and then the aaa authorization exec/command. This will allow the user to go straight into privilege mode instead of user mode.

• Manually start RADIUS, Authentication and groups for Cisco ASAs

  I am testing moving a 10.7 server to 10.8.
  We have used RADIUS to authenticate VPN traffic on our Cisco ASAs in the past.  In the past Server Admin allowed for our ASAs to be added manually to the list of devices using the service.  With Server Admin being removed and the limited funtionality of automated addition of Airports to the system I have no GUI method to get our ASAs into the service.  The ability to tell RADIUS which groups are using the service is no longer available in the GUI as well.
  I have found the clients file in /etc/raddb and added our ASAs to the clients list.  I believe I have done this correctly in accordance with the instructions on the freeRADIUS website.
  I need help with:
  1- I was hoping someone knows how to manually tell RADIUS which groups are permitted to use the service.
  2- Can anyone tell me how to turn on RADIUS?  radiusconfig -start appears to only tell the system to keep it on after a restart if i understand the manual page.
  Thanks

  With David's suggestion I was able to get RADIUS running.  The following assumes that you are comfortable with Terminal and would be able to back up any files you edit.  Here is what I did to our fresh installation of 10.8 Server:
  In Terminal enter "sudo radiusd -Xx" which tries to turn RADIUS on and runs it with full logging of activity in the window.  The last line after this entry should be something similar to "Ready to process records."  In our new installtion there were errors relating to "instantiating" sql and the ready message never came.
  In Terminal enter "sudo pico /etc/raddb/radiusd.conf" and authenticate as needed.  Scroll down in the file to the section where there are "instantiate" items.  I commented out the SQL setup, by putting a # before the line that says "sql".  Save the file by pressing Control-O, press return to save in the default location, and press Control-X to get out of the editor.  I redid step number 1 twice and eventually RADIUS was running.  Removing SQL from RADIUS will assure that problems will arise if you plan to use Server.app to add AirPorts to the network in the future.  OS X Server adds its clients in an SQL database according to the programming notes in the .conf files.  I will only be using our Cisco ASAs so SQL is not relevant to our setup.
  Testing the running RADIUS server was easy as well.  In Terminal enter "sudo pico /etc/raddb/users" and authenticate as needed.  This file contains details for users if you wanted to add them manually to the RADIUS server.  For testing purposes I removed the # before a line referring to a user "steve."  I had to get RADIUS restarted to take up the new information about Steve.  I killed the process using Activity Monitor and reran step number 1.
  In Terminal I opened a new tab and entered "sudo radtest steve testing localhost 0 testing123 -t".  You should get back a positive authentication message.  Switching back to the original tab will show the output of the RADIUS server.
  Reverse the entry in step 3 by adding back the # to comment out the line about steve in the users file.
  RADIUS is now running and authenticating against its own users file.
  Now we need to add our ASAs to the RADIUS server so it knows that it can authenticate for them.  In Terminal enter "sudo pico /etc/raddb/clients.conf".  We added lines for our ASAs, following the samples in the code.  The information in the lines we added included a generic name for each ASA or device needing RADIUS type authentication, its IP address, and the shared secret for device authentication.
  Following David's advice from above I created the RADIUS sacl by entering in Terminal "sudo dseditgroup -q -o create -u <admin user> -P <admin password> -n . com.apple.access_radius".  This created the sacl for the service.  Editing of the associated users and groups permitted to use the service was able to be done in Server.  Be sure to select from the View menu "Show system accounts".  Selecting "Groups" from the left margin of the Server window will show all of the SACLs along with any groups you have created.  The RADIUS sacl can then have groups and users added to it.
  To ensure that RADIUS is running and stays running enter the following in Terminal.  First, "sudo radiusd.conf" will start RADIUS without logging in the Terminal window.  Then, "sudo radiusconfig -start" to tell the system to keep it running and also run after a reboot.
  I made no changes to our ASA settings and found that I was able to authenticate the "Steve" user from the RADIUS test in the ASA.  I was also able to authenticate a user which had been added to the "Users" in Server.  It appears that the ASA will be permitted to authenticate Open Directory users without additional setup.
  I now need to set up our user groups to match those we use in our 10.7 server and add them to the RADIUS SACL and we should be set.
  Once I have everything running properly, I will add a post here to close this discussion.
  If anyone can shorten this procedure please let us know what you suggest.
  -Erich

• ACS 3.3 Windows group mapping problem

  Hi,
  I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?
  Thanks,
  Peter

  You need to set up proxy.
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.
  There is a known bug, CSCsi04187
  PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.
  Conditions:
  The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.
  Workaround:
  If the supplicant has the option you can send the macine name in hos/ format.
  Many supplicants do not have this option.
  It is to be fixed for ACS 4.2 release.
  Regards,
  ~JG

• FWSM user and administrator multi-contexts authentication under ACS radius

  Hi,
  I’m preparing the setup of an ACS radius server for FWSM-related authentication operations.
  FWSMs will be in release 2.2, inserted in Catalyst 6500 (MSFC – IOS), in routed mode, in multi-switch active / standby setup, with multiple contexts configured.
  User and administrator access management will be performed thanks to a radius ACS server.
  I intend to install ACS onto an armored windows 2000 server SP4 , using a local database.
  PDM 4.0 is needed in order to manage multiple-contexts on FWSMs.
  Are there any points I should be aware about such a configuration, especially regarding the user and administrator authentication access management setup ?
  The fact is that administrators will have to be defined and restricted to their own context, without privileges onto other contexts. Do you have feedback about such a setup or relevant information to point to me ?
  Many thanks in advance for your attention.
  Best regards,
  Arnaud

  Each of the contexts will behave like individual firewalls for your purposes here. So, they each get a AAA config, and you could put them into their own groups for access control. Protect the Admin context especially well, it controls system resources for the others. Depending on how many FWSMs you have, you may want to look into the Pix MC, which is similar to PDM, but works for multiple FWSMs. It is a part of CiscoWorks VMS.
  -Paul

• Implement strategy for ASA on TACACS w/ restricted read-only access

  An ASA5550 will need to be configured to use TACACS AAA. Currently, the ASA is setup for local authentication. A couple of privilege 15 admin users and a few more privilege 5 read-only users.
  ASA 5550
  running ASA 8.2(2)
  using ASDM 6.3(5)
  authenticating to ACS 4.2
  The admin users and read-only users already have established TACACS usernames and are in established TACACS user groups for logging into routers/switches.
  What's the best way to implement configuration of the ASA and ACS server to maintain the same type of restrictions that's applied using the local database?
  1. Try and avoid the creation of a second TACACS username for the admin and read-only users.
  2. ACS allows restrictions on what devices can be access by users/groups. Possible to do reverse? Restrict what usernames can access a device in the ACS database.

  If you want to configure ASA for read-only access via tacacs then you have to do the following task
  ASA/PIX/FWSM Configuration
  In addition to your preset configuration, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
      aaa-server authserver protocol tacacs+
      aaa-server authserver host 10.1.1.1
      aaa authorization command authserver
  On the ACS, you need to create command authorization set for only SHOW commands:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
  Associate command authorization set with user or group
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso2
  Regards,
  Jatin
  Do rate helpful posts-

• ASA to ACS: how to distinguish different authentication methods?

  I have SSL VPN Clients connecting to an ASA 5520 using RADIUS to a backend Cisco ACS. I want to support two authentication options for the clients. The first is a certificate combined with an Active Directory username & password. The second is a token-name & one-time-password.
  Setting these two authentication methods up on the ASA is no problem ... I can configure user selectable connection profiles that have the wanted authentication settings. The ACS can handle both the AD and token credentials.
  Here's the problem. I need to be able to distinguish on the ACS if a connection request was certificate authenticated or not. I don't want users choosing to do a token/OTP connection and then entering in their AD credentials instead. the ACS won't know that this AD authentication request wasn't properly combined with a certificate.
  I've used NAR settings in the past to control what user databases an AAA client can authentication against, however, if the two authentication methods are coming from the same AAA client (the ASA), what can I do?

  I guess this should be possible with a feature called NAP,( network access profiles). Here you can define which database to use for any specific request. We can filter request on the basis of attributes sent in the authentication request.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
  Regards,
  ~JG

• ACS USER IN MULTIPLE GROUP

  Dear all
  I have an ACS running 4.2 ver.We have integrated this with AD as well.
  We had created some groups in acs for vpn and its is dynamically mapped with respective department.Its working fine know.
  We have designed wireless implementation here with dynamic vlan assignment.
  This is not working beacause user is already a member of one group in acs.I know that i can edit that group and do the wireless parameter settings.
  But i would like to know wheather the user can be a member of multiple group or user will be associated with first  group.
  If we have an option for the user to be in a multliple group how can we do this.
  If any one has faced this issue pls reply me at the earliest.
  regards
  -Danish

  Its a bit long winded, but by using multiple Network Access Policies (NAP) in ACS 4.2 you can create specific windows group mappings per NAP.
  The NAP is selected dynmically by NAS IP, or NDG or any content within the incoming RADIUS packet. So usually its possible to match on something. NAPs may also have chunks of re-usable RADIUS attributes (Shared Radius Authorisation Components) which can be used instead of setting RADIUS attributes at group level - can reduce the management overhead.
  Its not a perfect solution, but should get to where you need to be without having to upgrade.
  Facing an ACS audit? Find out how aaa-reports! can help at www.extraxi.com

• How to restrict sales group and sales office in va01?

  in transaction "va01" ,I want to restrict "sales group" and "sales office", but there is no
  relative authorization object. I create a role named "z1000test001" with va01 , there are only "division","sales organization"
  and "distribution channel" which could be restricted.
  the authorization object with va01 is : V_VBAK_VKO.
  and I find another authorization:V_VBKA_VKO ,which contains:"sales group" and "sales office",
  but this one seems have no relationship with va01.
  Is there any method to restrict "sales group" and "sales office" in va01?
  Could anybody help me?

  Hello,
  This has been discussed before and there's a solution available.
  Have a look at this thread: Authorization for Sales Office and Sales Group
  Cheers
  Jurjen

• Restrict material groups  at PR/PO creation for items w/o material master

  Dear SAP experts
  I have one question related to restricting material groups which are possible for selection during purchase requisition or purchase order creation.
  The material group is created and several material master records are linked to it. Now the requirement is that when users are creating either purchase requisitions or purchase orders it shouldn't be possible to select that specific material group>
  But this should be valid only if PR or PO are being created for items without material master record. If PR/PO is created for item with material master record then the restriction should not take place.
  What would be the nicest solution to achieve that?
  Thank you all in advance for your help.
  Regards,
  Miha

  Hello Prakash
  Thank you very much for your answer. i think it is a very good starting point.
  However I am not too familiar with authorization group configuration of material groups.
  Right now in our system (transaction OMSF) field authorization group is empty for all existing material groups.
  Does this mean that for the material group that I want to have restricted I need to have two entries: one with Authorization group ZOK and another with ZNOTOK (or whatever the naming would be)?
  Furthermore I would like to ask you where is then the link between authorization group and user exit?
  And thirdly: do you perhaps have some more details which user exit(s) are relevant for our topic?
  So far thank you very much and I hope that you can provide me also with additional info.
  Rgds
  Miha

• Migrate WPA2 to ACS RADIUS

  Hello Guys Again me I hope you can help me as well
  I'm working with five SSID's they're using WPA2 with PSK, I wanto to migrate to 802.1x Authentication so I'm goin to set a ACS RADIUS.
  I have some remote offices and they're working with WPA2 and PSK
  My questions is what happen if I migrate this SSID's to 802.1x, my remote users are will available to join at one SSID? And what happen if my RADIUS goes down? Right now if my WLC goes down my remote AP still work and accept new clients.  But if change this authentication method.. they will working as now?
  And what happen with my local user if my RADIUS goes down?
  Thank you everyone

  Dear Scott as Well I really Aprecciate your help and Abhishek
  One more questions I'm really concern about this migration, right now I have a WLC 4402 with 1131AG AP's this AP's has an IOS version 12.4 (3g) JA and the AP's are working as LWAPP. I founf on cisco page this Matrix.
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  My news 5508 have 7.2.103 version, that matix says I need as minimun 12.4 (25e)JA So... I'm not sure if I need to upgrade the IOS version to my AP's.
  I was reading the 7.2 configuration text for 5508 and in some part of the tex say this
  The WGB can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release 12.4(3g)JA or later releases (on 32-MB access points) or Cisco IOS Release 12.3(8)JEB or later releases (on 16-MB access points). These access points include the AP1120, AP1121, AP1130, AP1231, AP1240, and AP1310. Cisco IOS releases prior to 12.4(3g)JA and 12.3(8)JEB are not supported.
  I know is talking about WGB,  but I can read between the lines that the version of IOS12.4 (3g) JA of AP should no problem joining the new controller?
  This part of the document make me guess I don't have to do anything.
  Thanks!!

• ASA - logging via radius with group name passed.

  Hi,
  I'm trying to setup ASA5520 with Radius to authenticate users with group
  privileges.
  Useing Radius with ASA to authenticate users is quite simple. When I try
  to pass from asa tunnel-group name (with group-policy and attributes
  attached) there is a problem that ASA dosn't pass any group name to
  radius.
  Is there any way to overcome it?
  What I want to do is to apply different policies to username depending
  with what tunnel-group name he logs in to webvpn. I assume one user may
  be member of different groups.
  br
  Marcin

  It's possible.
  Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
  Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
  Long winded, I know...any questions, please ask.

• ASA 5505 VPN Group Policies (RADIUS) and tunnel group

  I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
  I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
  Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
  I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
  Session Type: WebVPN
  Username     : kaisaron78             Index        : 1
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 518483                 Bytes Rx     : 37549
  Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 10:59:33 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:23s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000100053f1c075
  Security Grp : none
  Asa5505# sh vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : manintra               Index        : 2
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 238914                 Bytes Rx     : 10736
  Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 11:01:02 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:05s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000200053f1c0ce
  Security Grp : none
  As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
  ! ADDRESS POOLS AND NAT
  names
  ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_27
   subnet 192.168.10.0 255.255.255.224
  access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
  ! RADIUS SETUP
  aaa-server OpenOTP protocol radius
  aaa-server OpenOTP (inside) host 192.168.1.8
   key ******
   authentication-port 1812
   accounting-port 1814
   radius-common-pw ******
   acl-netmask-convert auto-detect
  webvpn
   port 10443
   enable outside
   dtls port 10443
   anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
   anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
   anyconnect enable
  ! LOCAL POLICIES
  group-policy SSLPolicy internal
  group-policy SSLPolicy attributes
   vpn-tunnel-protocol ssl-clientless
   vlan 3
   dns-server value 10.5.1.5
   default-domain value management.local
   webvpn
    url-list value Management_List
  group-policy RemoteAC internal
  group-policy RemoteAC attributes
   vpn-tunnel-protocol ikev2 ssl-client
   vlan 1
   address-pools value AnyConnect_Pool
   dns-server value 192.168.1.4
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value Split_Tunnel_Anyconnect
   default-domain value home.local
   webvpn
    anyconnect profiles value AnyConnect_Profile_client_profile type user
  group-policy SSLLockdown internal
  group-policy SSLLockdown attributes
    vpn-simultaneous-logins 0
  ! DEFAULT TUNNEL
  tunnel-group DefaultRAGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group VPN_Tunnel type remote-access
  tunnel-group VPN_Tunnel general-attributes
   authentication-server-group OpenOTP
   default-group-policy SSLLockdown
  !END
  I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
  Any help will be more than appreciated.
  Cesare Giuliani

  Ok, it makes sense.
  Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
  Thank you again for your precious and kind help, and for your patience as well!
  Cesare Giuliani

• Add RADIUS attributes under "Group Setup" in ACS 4.2

  Hi Security Experts,
  I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes,
  IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
  PS: I rate useful posts
  Thanks,
  Kashish

  Under "Interface" you can enable which RADIUS-Attributes you want to display. Probably there's just one checkmark missing for your vendor.
  The Options for RADIUS are described here:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html

• ASA and ACS 5 multiple VPN profiles for one user

  Hi there
  I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:
  ACS 5.3 group hierarchy:
  - VPN users global
  -- VPN users A
  -- VPN users B
  ASA VPN profiles:
  - VPN profile A
  - VPN profile B
  - VPN profile Z
  VPN authorizations:
  1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)
  2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)
  3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
  Thanks a lot in advance and best regards
  Dominic

  Hi Dominic,
  first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
  The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
  The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
  So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
  In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
  However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
  vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
  vendor ID = 3076, attribute 150 is "Client Type" (integer)
  0 = No Client specified  1 = Cisco VPN Client (IKEv1)  2 = AnyConnect Client SSL VPN  3 = Clientless SSL VPN  4 = Cut-Through-Proxy  5 = L2TP/IPsec SSL VPN  6 = AnyConnect Client IPsec VPN (IKEv2)
  So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.
  If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.
  hth
  Herbert