cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
934
Views
0
Helpful
2
Replies

Configuring LDAP Group IPSEC VPN Authentication

jj27
Spotlight
Spotlight

Greetings,

I would like to know if it is possible to authenticate VPN users via LDAP to a security active directory group. I know you can do this with the WebVPN and assign different VPN group policies, but I would like to either permit/deny login access through the IPSEC VPN based on Active Directory group membership.

Any help configuring this would be appreciated.

2 Replies 2

jj27
Spotlight
Spotlight

Just for the record, I did get it working based on OU membership, but I'd like to know if there is a way to get it working based on security/distribution group membership.

Thanks.

ogden.clinic
Level 1
Level 1

These two articles helped me with getting this to work on an ASA5520:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a008089149d.shtml

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Sorry for piggybacking on your thread here, but I'm struggling with one part of what I'm trying to accomplish. I want to grant VPN access ONLY if the user is in a specific group. If the user isn't a member of that group, I want to deny access. Right now, group mapping is working (AD group to Tunnel Group), but any user that exists in Active Directory is allowed access.

The only solution I can come up with is to have two AD security groups, one that allows access and one that doesn't, and map the two groups to two different tunnel groups (again, one that allows and one that denies). This is less than ideal. Any thoughts from anyone?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: