We’ve done some pretty neat stuff with the ASA so far. If you have been following along you probably have a couple of tunnel groups configured and possibly some RADIUS authentication against a MS AD database. Now it’s time for the curve ball. We are going to create a single tunnel group that all WebVPN users will use and apply different group policies against each. In previous examples we configured customization, assigned the customizations to tunnel groups, and then assigned aliases and group URLs to the tunnel groups. This worked well and there isn’t anything wrong with configuring this way. In most cases, it works best with local authentication as you can configure each user with group-lock for their specific tunnel group. You can even use RADIUS for authentication, but if you do there isn’t a very good way to lock a user into a specific tunnel group. So, rather than configure separate tunnel group’s for each group of users we are going to define separate group policies for each group of users. Why would we do this? Because we can configure IAS and the ASA to log a user into a specific group policy and customization based on their AD group membership. How cool is that? Let’s get right into it. We’ll keep the IAS configuration that we have thus far but I’m going to start over with tunnel groups and group policies on the ASA.
Configure IAS with attribute 25
The first step is going to be to modify our current remote access policy and add another one. We’ll stick with our sales and marketing example. So at this point in AD (Active Directory, you knew that already right?) we should have the following users and groups.
GroupSales – Security Group
GroupMarketing – Security Group
Sales – Sales user that is a member of GroupSales
Marketing – Marketing user that is a member of the GroupMarketing
Let’s start by modifying our existing sales remote access policy in IAS. If you don’t know how to create the remote access policy, refer to my last post called “Configuring RADIUS authentication for WebVPN”. So open up IAS on the server and locate your sales remote access policy, right-click on it and open up properties.
We want to add an attribute so click on the ‘Edit profile’ button.
On the profile window select the ‘Advanced’ tab and click the ‘Add…’ button.
On the ‘Add Attribute’ window select the ‘Class’ attribute and press the ‘Add’ button
On the ‘Attribute Information’ window you need to add the group policy name for the group that you are working on. For instance, later we will create two group profiles, one called GP_Sales for the sales group and another called GP_Marketing for the marketing group. Since we are working on sales and we want users of the sales group to use GP_Sales, we’ll specify that as attribute 25 (class) here in IAS. If you are confused, just stay with me for a moment; I’ll summarize shortly. When you specify the group policy name you NEED to make sure that you enter it in correctly. The string value needs to be entered as shown below in this format ‘OU=<Group Policy Name>; After you have entered your value press OK, close the ‘Add Attribute’ window, press OK to close your edit profile window, and OK one more time to close the Edit Remote Access Policy window.
That’s the entire configuration for a single remote access policy. Now you need to follow these exact same steps to create/modify your marketing remote access policy. So now that we have at least two remote access policies configured, I’ll review how this works from the IAS side of things. You have two remote access policies, one for sales and one for marketing. Each remote access policy is looking for a particular attribute about a user so that it can make a decision as whether or not to grant access. If you’ll recall both of our remote access policies specify the windows group name as their policy conditions. When an authentication request comes into the IAS server it runs through its list of remote access policies to see if it can find a match. The policies are evaluated in a similar manner to how a router or firewall evaluates a ACL; it runs through the list, line by line, looking for a match. If it can’t find one, there is an explicit deny waiting as the last line in the list. Same deal with the remote access policies. We have two policies that are looking for users, that are in either the windows group GroupSales or GroupMarketing. If your AD user isn’t a member of either of those groups, they aren’t getting authenticated. So why can’t we just add these all into remote access policy? Because we need to specify separate class attributes in each remote access policy. The ASA is going to see the class attribute that is specified for the policy and throw the user into that specific group policy. Let’s continue with the ASA configuration. I’m going to build the group policies from scratch, but assume you still have a sales and marketing customization loaded on your ASA. The notes section of each command with have the actual command I execute.
Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
Configure the group policies
ASA(config)# group-policy <Group Policy name> internal
Notes:group-policy GP_Sales internal
ASA(config)# group-policy <Group Policy name> attributes
Notes:group-policy GP_Sales attributes
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# customization value <Customization name>
Notes:customization value Sales
Now configure your marketing group in the same way, with its respective group policy and customization name. Since we will be using one tunnel group and we don’t want to give our users the ability to select which tunnel group they use, we need to do two more things. Configure the DefaultWEBVPNGroup to use our MS IAS authentication group and tell the tunnel group not to display the tunnel group drop down
Configure the DefaultWEBVPNGroup to use you IAS authentication group
ASA(config)# tunnel-group DefaultWEBVPNGroup general-attributes
Notes:tunnel-group DefaultWEBVPNGroup general-attributes
ASA(config-tunnel-general)# authentication-server-group <Your IAS AA group name>
Notes:authentication-server-group WindowsIAS
Configure the tunnel group to no show the tunnel group drop down
ASA(config)# webvpn
ASA(config-webvpn)# no tunnel-group-list enable
And that’s it; time to test it out and see if it works! Browse to your default WebVPN logon page (no group URLs if you still have some defined) and logon with the sales user. You should see your sales customization on the portal page. Logout and try logging in as the marketing user and you should see the marketing customization. If you get the default logon page for WebVPN (no customizations) check to make sure you have your group policy names correct both in IAS and the ASA. They are case-sensitive and you need the semi-colon after the attribute name.
In the next posts we are going to do some more advanced portal customization.