Configuring LDAP Group IPSEC VPN Authentication

Unanswered Question
May 29th, 2008

Greetings,

I would like to know if it is possible to authenticate VPN users via LDAP to a security active directory group. I know you can do this with the WebVPN and assign different VPN group policies, but I would like to either permit/deny login access through the IPSEC VPN based on Active Directory group membership.

Any help configuring this would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jjohnston1127 Thu, 05/29/2008 - 08:52

Just for the record, I did get it working based on OU membership, but I'd like to know if there is a way to get it working based on security/distribution group membership.

Thanks.

ogden.clinic Fri, 05/30/2008 - 10:52

These two articles helped me with getting this to work on an ASA5520:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a008089149d.shtml

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Sorry for piggybacking on your thread here, but I'm struggling with one part of what I'm trying to accomplish. I want to grant VPN access ONLY if the user is in a specific group. If the user isn't a member of that group, I want to deny access. Right now, group mapping is working (AD group to Tunnel Group), but any user that exists in Active Directory is allowed access.

The only solution I can come up with is to have two AD security groups, one that allows access and one that doesn't, and map the two groups to two different tunnel groups (again, one that allows and one that denies). This is less than ideal. Any thoughts from anyone?

Actions

This Discussion