Freeradius + Cisco Anyconnect group policy
Pico Aeterna
flippedootninja at gmail.com
Wed Oct 12 20:05:22 CEST 2016
reeradius + Cisco Anyconnect group policy
Greetings,
I recently just deployed a freeradius server to authenticate our Cisco
Anyconnect VPN users against pam/google's OTP. My configs are in place
and everything is working fine however recently we've taken on a few
contractors that I would like to restrict to a specific
tunnel-group/split-tunnel. I dont mind creating SSH accounts for them just
as long as they have the correct split-tunnel/group policy assigned.
Currently my test user can log into both tunnel-groups.
Currently in users.conf my auth default type is
"DEFAULT Auth-Type := PAM"
Can this be done via /etc/group + pam or do I need to add these users to
users.conf and then apply the attributes "ASA-Group-Policy" and
"ASA-IPsec-Split-Tunnel-List" to them? Should I see the
policy/tunnel-group name being sent from my ASA to my radius server? This
is currently what I see via raddb -XXX when I connect using either
tunnel-group.
Received Accounting-Request Id 174 from x.x.x.x:1026 to x.x.x.x:1813 length
135
User-Name = 'username'
NAS-Port = 122380288
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = x.x.x.x
Called-Station-Id = 'x.x.x.x'
Calling-Station-Id = 'x.x.x.x'
Acct-Status-Type = Start
Acct-Delay-Time = 2
Acct-Session-Id = 'B5F00188'
Acct-Authentic = RADIUS
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = 'x.x.x.x'
NAS-IP-Address = x.x.x.x
Does anyone currently have this implemented or a sample config I can
review, or am I going about it in the wrong way?
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built
on Mar 5 2015 at 23:41:36
More information about the Freeradius-Users
mailing list