11-18-2007 06:19 PM - edited 02-21-2020 03:23 PM
Greetings. I currently have an ASA5520 in place running 8.0(2) IOS. We have configured a clientless SSL VPN portal that we are currently using as a "test run". One issue that we are trying to resolve deals with using groups at the SSL VPN login page. Right now the ASA is set to authenicate usernames/passwords to a Microsoft Windows 2003 server using IAS (RADIUS). This is working fine.
What we want to do is "lock in" the user account to a particular group alias in the ASA SSL VPN login page. For example, our SSL VPN login page displays two options for "Group", "sales' and "tech". As it stands now, a user from sales can select either one of the groups displayed and still be authenicated. Is there anyway to deny login credentials if a user does not select the correct GROUP from the pull-down? This would definitely help us make sure that users are selecting the correct GROUP from the pull-down.
Any information would be greatly appreciated.
Joe
Solved! Go to Solution.
11-23-2007 12:08 PM
In order to put the user in the correct group, define RADIUS attribute 25 as ou=ASAGroupPolicyName. then try the group lock command to lock the users.
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/gh_72.html
11-23-2007 12:08 PM
In order to put the user in the correct group, define RADIUS attribute 25 as ou=ASAGroupPolicyName. then try the group lock command to lock the users.
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/gh_72.html
11-26-2007 05:19 AM
Worked like charm. Thx for the information. -Joe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: