We’ve done some pretty neat stuff with the ASA so far. If you have been following along you probably have a couple of tunnel groups configured and possibly some RADIUS authentication against a MS AD database. Now it’s time for the curve ball. We are going to create a single tunnel group that all WebVPN users will use and apply different group policies against each. In previous examples we configured customization, assigned the customizations to tunnel groups, and then assigned aliases and group URLs to the tunnel groups. This worked well and there isn’t anything wrong with configuring this way. In most cases, it works best with local authentication as you can configure each user with group-lock for their specific tunnel group. You can even use RADIUS for authentication, but if you do there isn’t a very good way to lock a user into a specific tunnel group. So, rather than configure separate tunnel group’s for each group of users we are going to define separate group policies for each group of users. Why would we do this? Because we can configure IAS and the ASA to log a user into a specific group policy and customization based on their AD group membership. How cool is that? Let’s get right into it. We’ll keep the IAS configuration that we have thus far but I’m going to start over with tunnel groups and group policies on the ASA.
Configure IAS with attribute 25
The first step is going to be to modify our current remote access policy and add another one. We’ll stick with our sales and marketing example. So at this point in AD (Active Directory, you knew that already right?) we should have the following users and groups.
GroupSales – Security Group
GroupMarketing – Security Group
Sales – Sales user that is a member of GroupSales
Marketing – Marketing user that is a member of the GroupMarketing
Let’s start by modifying our existing sales remote access policy in IAS. If you don’t know how to create the remote access policy, refer to my last post called “Configuring RADIUS authentication for WebVPN”. So open up IAS on the server and locate your sales remote access policy, right-click on it and open up properties.
We want to add an attribute so click on the ‘Edit profile’ button.
On the profile window select the ‘Advanced’ tab and click the ‘Add…’ button.
On the ‘Add Attribute’ window select the ‘Class’ attribute and press the ‘Add’ button
On the ‘Attribute Information’ window you need to add the group policy name for the group that you are working on. For instance, later we will create two group profiles, one called GP_Sales for the sales group and another called GP_Marketing for the marketing group. Since we are working on sales and we want users of the sales group to use GP_Sales, we’ll specify that as attribute 25 (class) here in IAS. If you are confused, just stay with me for a moment; I’ll summarize shortly. When you specify the group policy name you NEED to make sure that you enter it in correctly. The string value needs to be entered as shown below in this format ‘OU=<Group Policy Name>; After you have entered your value press OK, close the ‘Add Attribute’ window, press OK to close your edit profile window, and OK one more time to close the Edit Remote Access Policy window.
That’s the entire configuration for a single remote access policy. Now you need to follow these exact same steps to create/modify your marketing remote access policy. So now that we have at least two remote access policies configured, I’ll review how this works from the IAS side of things. You have two remote access policies, one for sales and one for marketing. Each remote access policy is looking for a particular attribute about a user so that it can make a decision as whether or not to grant access. If you’ll recall both of our remote access policies specify the windows group name as their policy conditions. When an authentication request comes into the IAS server it runs through its list of remote access policies to see if it can find a match. The policies are evaluated in a similar manner to how a router or firewall evaluates a ACL; it runs through the list, line by line, looking for a match. If it can’t find one, there is an explicit deny waiting as the last line in the list. Same deal with the remote access policies. We have two policies that are looking for users, that are in either the windows group GroupSales or GroupMarketing. If your AD user isn’t a member of either of those groups, they aren’t getting authenticated. So why can’t we just add these all into remote access policy? Because we need to specify separate class attributes in each remote access policy. The ASA is going to see the class attribute that is specified for the policy and throw the user into that specific group policy. Let’s continue with the ASA configuration. I’m going to build the group policies from scratch, but assume you still have a sales and marketing customization loaded on your ASA. The notes section of each command with have the actual command I execute.
Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
Configure the group policies
ASA(config)# group-policy <Group Policy name> internal
Notes:group-policy GP_Sales internal
ASA(config)# group-policy <Group Policy name> attributes
Notes:group-policy GP_Sales attributes
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# customization value <Customization name>
Notes:customization value Sales
Now configure your marketing group in the same way, with its respective group policy and customization name. Since we will be using one tunnel group and we don’t want to give our users the ability to select which tunnel group they use, we need to do two more things. Configure the DefaultWEBVPNGroup to use our MS IAS authentication group and tell the tunnel group not to display the tunnel group drop down
Configure the DefaultWEBVPNGroup to use you IAS authentication group
ASA(config)# tunnel-group DefaultWEBVPNGroup general-attributes
Notes:tunnel-group DefaultWEBVPNGroup general-attributes
ASA(config-tunnel-general)# authentication-server-group <Your IAS AA group name>
Notes:authentication-server-group WindowsIAS
Configure the tunnel group to no show the tunnel group drop down
ASA(config)# webvpn
ASA(config-webvpn)# no tunnel-group-list enable
And that’s it; time to test it out and see if it works! Browse to your default WebVPN logon page (no group URLs if you still have some defined) and logon with the sales user. You should see your sales customization on the portal page. Logout and try logging in as the marketing user and you should see the marketing customization. If you get the default logon page for WebVPN (no customizations) check to make sure you have your group policy names correct both in IAS and the ASA. They are case-sensitive and you need the semi-colon after the attribute name.
In the next posts we are going to do some more advanced portal customization.
I have 25 group policy in my ASA and I am not able add all the group poilicy name in the class attributes in IAS.
Is there any restriction on number of character in class attributes?
Are you asking about a restriction in regards to the number of policies, or the length of their names?
Thanks – jon
Just for clarification, I don’t have any domain/ADS. I have windows 2003 system and 50 local users created on it. On the same system I have configured MS IAS server. IAS server is authenticating user from local user database of windows 2003.
As per your article I tried to put the class attribute like this.
OU=onl;OU=sap;OU=ar;OU=un-sri;OU=Wtomer;OU=pbdnb;OU=mcxemx;OU=tftbk;OU=hfgrms-rdatjhu;OU=CErd09gh038;OU=insdofblvce-ndero;OU=cdhwpydcr-gp;OU=mauldtirscve;OU=Px4M6-P7kL;OU=niftnsmujplport;OU=hednnrimk-esddb;OU=Pg-dcessBdIf6vfA;OU=Mssd4-PdofC-Gsrsadftfohg6nmn;OU=iagsivsdre10;OU=Nd1g-AgIrdQ;OU=vadifrddddsy;OU=anfsy-confg6neycut-civlikment;
But IAS class attributes is accepting whole string, it took only half of the string.
Issue: I would like to use group-lock feature. As of now any user can select any of the tunnel-group and they are able to connect. I want to block that.
Read as :
BUT IAS class attributes is not accepting whole string, it took only half of the string.
Also I have not created any user group on windows 2003 server running IAS server.
Just what I was looking for, so guys on the Cisco site told me to use DAP instead, which I find very confusing, this worked!
I don’t suppose you have a guide on the above but using DAP? So it would be 2 departments use the SSL clientless VPN to access different portal pages based on their AD groups via IAS using DAP?
Can you give me a more defined view of your environment? Im a little confused about what you are trying to accomplish.
Does this work for VPN clients as well? We can’t get it to work.
Hey Tim,
I dont believe I ever tested it on standard layer 3 VPNs. I do recall it being very picky about the configuration. Have you validated that it works with WebVPN? I see no reason why it wouldnt work on layer 3 VPN as well since the group policy constructs are the same in both VPN solutions.
-jon