We're doing exactly that, although with Radiator vs IAS. Dave
Ben Steele wrote: > Problem with the group selection method is via a debug radius I don't see it > send any attribute about the group to RADIUS(I did try this way at first) > and therefore I can't get RADIUS to match on a group as well as user/pass, > the [EMAIL PROTECTED] might be an option, have you tried this before by > sending > back a group attribute to the ASA from RADIUS and it actually acknowledging > it and putting the WEBVPN user into that group?. > > Cheers > > Ben > > -----Original Message----- > From: LaPorte, David [mailto:[EMAIL PROTECTED] > Sent: Friday, 5 September 2008 9:54 PM > To: Ben Steele > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group? > > You could pass the group as a realm to the RADIUS server by having the > users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them > and return a Class="OU=GROUP;" attribute to map them properly. > > You could also provide a group list to the user: > > http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 > 86a00808bd83d.shtml > > I prefer not to do this since it could make enumeration attacks a bit > easier, but it has it's place. > > hope that helps, > Dave > > Ben Steele wrote: >> Howdy all, >> >> >> >> Anyone know if it's possible to get as ASA to spit out the group name in > an >> av-pair via radius when authenticating a user? (in this case webvpn). >> >> >> >> The issue i'm having is multiple clients on the one ASA authenticating via >> IAS/AD and the possibility of overlapping usernames between > clients(groups), >> I need another identifier from the ASA to auth them against other than >> user/pass, ie group would be perfect. >> >> >> >> Any ideas? >> >> >> >> Cheers >> >> >> >> Ben _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/