11-25-2008 10:48 PM
I'm configing the ASA5510 to authenticate users by using AAA servers NT Domain type, it works to authenticate the AD users to get in.
My next step is i want to authenticate users to access webvpn with different group policy defined in ASDM by windowns AD grouping.
That is to say, i want the Group A, Group B, Group C users in windows AD to access to group-policy A, group-policy B, group-policy C respectively to control their application.
How can i do that?
Many thank in advance!!
11-26-2008 09:20 AM
Your requirements seems as though it could be accomplish using DAP(Dynamic access
policies), I have not played yet with this feature so it is an educated guess.
Have a look here.
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
Rgds
Jorge
11-27-2008 06:22 PM
Thanks for your help.
I'm tring to config DAP(Dynamic access
policies), but it still didn't work. do u know is DAP working with LDAP or NT Domain authentication in AAA configuration? I've try to work with both LDAP and NT Domain, also not work.
Thank you!
11-27-2008 09:43 PM
It should, if you look at the same link I provided it should work with LDAP/AD environment.
This one is trikie to lab out or would take some time, but you could perhaps open a TAC case to get faster expert assistance on this feature and your requirements.
This is another DAP link with a little more detail.
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html
12-07-2008 11:05 PM
thanks! DAP have to consider later
Now i have problem on making the connection to other VPN peer site on webvpn.
when our client connect to the webvpn, i've set to assign a pool of ip address, but when i check the ipconfig from client notebook, i found that the ip address is from IPS, not the address from my pool, how can i check the webvpn session and is it using the address assigned by ASA?
i have the following commands:
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool bigpool
authentication-server-group SG1
authentication-server-group (inside) SG1
default-group-policy SSL_IT
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias Default disable
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 3600 retry 2
ip local pool bigpool 192.168.100.101-192.168.100.120 mask 255.255.255.0
12-08-2008 09:25 PM
You can accomplish this if you utilize Microsoft IAS or NPS for authentication to Active Directory. You can create the policies and dynamically set the VPN group & group-policy based on Active Directory security group membership. Each VPN group will utilize a group-policy with the appropriate VPN filter ACL applied.
I am mentioning Microsoft IAS or NPS since you didn't mention you have Cisco ACS (costs extra).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide