ASA 5510 access resources by NT Domain grouping

Unanswered Question
Nov 25th, 2008
User Badges:

I'm configing the ASA5510 to authenticate users by using AAA servers NT Domain type, it works to authenticate the AD users to get in.


My next step is i want to authenticate users to access webvpn with different group policy defined in ASDM by windowns AD grouping.


That is to say, i want the Group A, Group B, Group C users in windows AD to access to group-policy A, group-policy B, group-policy C respectively to control their application.


How can i do that?


Many thank in advance!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jerryben11 Thu, 11/27/2008 - 18:22
User Badges:

Thanks for your help.


I'm tring to config DAP(Dynamic access

policies), but it still didn't work. do u know is DAP working with LDAP or NT Domain authentication in AAA configuration? I've try to work with both LDAP and NT Domain, also not work.


Thank you!

JORGE RODRIGUEZ Thu, 11/27/2008 - 21:43
User Badges:
  • Green, 3000 points or more

It should, if you look at the same link I provided it should work with LDAP/AD environment.


This one is trikie to lab out or would take some time, but you could perhaps open a TAC case to get faster expert assistance on this feature and your requirements.


This is another DAP link with a little more detail.

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html

jerryben11 Sun, 12/07/2008 - 23:05
User Badges:

thanks! DAP have to consider later


Now i have problem on making the connection to other VPN peer site on webvpn.


when our client connect to the webvpn, i've set to assign a pool of ip address, but when i check the ipconfig from client notebook, i found that the ip address is from IPS, not the address from my pool, how can i check the webvpn session and is it using the address assigned by ASA?


i have the following commands:


tunnel-group DefaultWEBVPNGroup general-attributes

address-pool bigpool

authentication-server-group SG1

authentication-server-group (inside) SG1

default-group-policy SSL_IT

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias Default disable

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 3600 retry 2



ip local pool bigpool 192.168.100.101-192.168.100.120 mask 255.255.255.0

You can accomplish this if you utilize Microsoft IAS or NPS for authentication to Active Directory. You can create the policies and dynamically set the VPN group & group-policy based on Active Directory security group membership. Each VPN group will utilize a group-policy with the appropriate VPN filter ACL applied.


I am mentioning Microsoft IAS or NPS since you didn't mention you have Cisco ACS (costs extra).

Actions

This Discussion