On Oct 12, 2016, at 2:05 PM, Pico Aeterna <flippedootninja@gmail.com> wrote:
I recently just deployed a freeradius server to authenticate our Cisco Anyconnect VPN users against pam/google's OTP. My configs are in place and everything is working fine however recently we've taken on a few contractors that I would like to restrict to a specific tunnel-group/split-tunnel. I dont mind creating SSH accounts for them just as long as they have the correct split-tunnel/group policy assigned. Currently my test user can log into both tunnel-groups.
Currently in users.conf my auth default type is
"DEFAULT Auth-Type := PAM"
We don't recommend using PAM. If you need it for OTP, fine. But a native FreeRADIUS implementation is usually better.
Can this be done via /etc/group + pam or do I need to add these users to users.conf and then apply the attributes "ASA-Group-Policy" and "ASA-IPsec-Split-Tunnel-List" to them?
If you need to send RADIUS attributes, those attributes should be configured on the RADIUS server. You can't configure them in PAM.
Should I see the policy/tunnel-group name being sent from my ASA to my radius server?
I have no idea what that means. Perhaps you could be a bit more specific.
This is currently what I see via raddb -XXX when I connect using either tunnel-group.
That's an accounting packet. Not an Access-Request packet. If you're debugging authentication, it helps to look at Access-Request packets.
Does anyone currently have this implemented or a sample config I can review, or am I going about it in the wrong way?
Post the FULL DEBUG LOG as suggested in the FAQ, "man" pages, web pages, and daily on this list. Alan DeKok.