Running ASA 7.2(2) and wondering how it is possible to apply authorization policies to an incoming ipsec remote access connection. There is an existing backend RADIUS service running Microsoft IAS in an Active Directory domain. I have got the blanket user authentication/authorization working from AD but I need to tighten it up restricting users to a specific tunnel-group and/or group-policy
I want to apply the equivalent of the ASA local vpn group-lock (where the user is restricted to a specific tunnel-group) enforced from AD via RADIUS. If this isn't possible I guess an equivalent restriction could be enforced using group-policy? From this documentation it seems possible using RADIUS...
"from an external RADIUS/LDAP server by the value of the RADIUS CLASS attribute (25) in the format OU=GroupName;"
What I don't know is the magic incantation needed in IAS to map something in Active Directory onto RADIUS attribute 25. You might be able to guess I'm not an AD person.
I have seen the ASA LDAP functionality where cVPN3000-IETF-* attribute matching is used but want to fully explore/exhaust the possibilty of using the existing RADIUS service for group-policy and ideally group-lock authorization. (Can group-lock even be enforced by RADIUS?)