Freeradius + Cisco Anyconnect group policy
reeradius + Cisco Anyconnect group policy Greetings, I recently just deployed a freeradius server to authenticate our Cisco Anyconnect VPN users against pam/google's OTP. My configs are in place and everything is working fine however recently we've taken on a few contractors that I would like to restrict to a specific tunnel-group/split-tunnel. I dont mind creating SSH accounts for them just as long as they have the correct split-tunnel/group policy assigned. Currently my test user can log into both tunnel-groups. Currently in users.conf my auth default type is "DEFAULT Auth-Type := PAM" Can this be done via /etc/group + pam or do I need to add these users to users.conf and then apply the attributes "ASA-Group-Policy" and "ASA-IPsec-Split-Tunnel-List" to them? Should I see the policy/tunnel-group name being sent from my ASA to my radius server? This is currently what I see via raddb -XXX when I connect using either tunnel-group. Received Accounting-Request Id 174 from x.x.x.x:1026 to x.x.x.x:1813 length 135 User-Name = 'username' NAS-Port = 122380288 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x Called-Station-Id = 'x.x.x.x' Calling-Station-Id = 'x.x.x.x' Acct-Status-Type = Start Acct-Delay-Time = 2 Acct-Session-Id = 'B5F00188' Acct-Authentic = RADIUS NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = 'x.x.x.x' NAS-IP-Address = x.x.x.x Does anyone currently have this implemented or a sample config I can review, or am I going about it in the wrong way? radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Mar 5 2015 at 23:41:36
On Oct 12, 2016, at 2:05 PM, Pico Aeterna <flippedootninja@gmail.com> wrote:
I recently just deployed a freeradius server to authenticate our Cisco Anyconnect VPN users against pam/google's OTP. My configs are in place and everything is working fine however recently we've taken on a few contractors that I would like to restrict to a specific tunnel-group/split-tunnel. I dont mind creating SSH accounts for them just as long as they have the correct split-tunnel/group policy assigned. Currently my test user can log into both tunnel-groups.
Currently in users.conf my auth default type is
"DEFAULT Auth-Type := PAM"
We don't recommend using PAM. If you need it for OTP, fine. But a native FreeRADIUS implementation is usually better.
Can this be done via /etc/group + pam or do I need to add these users to users.conf and then apply the attributes "ASA-Group-Policy" and "ASA-IPsec-Split-Tunnel-List" to them?
If you need to send RADIUS attributes, those attributes should be configured on the RADIUS server. You can't configure them in PAM.
Should I see the policy/tunnel-group name being sent from my ASA to my radius server?
I have no idea what that means. Perhaps you could be a bit more specific.
This is currently what I see via raddb -XXX when I connect using either tunnel-group.
That's an accounting packet. Not an Access-Request packet. If you're debugging authentication, it helps to look at Access-Request packets.
Does anyone currently have this implemented or a sample config I can review, or am I going about it in the wrong way?
Post the FULL DEBUG LOG as suggested in the FAQ, "man" pages, web pages, and daily on this list. Alan DeKok.
participants (2)
-
Alan DeKok -
Pico Aeterna