Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
5
Replies

ASA 5510 access resources by NT Domain grouping

jerryben11
Level 1
Level 1

‎11-25-2008 10:48 PM

I'm configing the ASA5510 to authenticate users by using AAA servers NT Domain type, it works to authenticate the AD users to get in.

My next step is i want to authenticate users to access webvpn with different group policy defined in ASDM by windowns AD grouping.

That is to say, i want the Group A, Group B, Group C users in windows AD to access to group-policy A, group-policy B, group-policy C respectively to control their application.

How can i do that?

Many thank in advance!!

Labels:
0 Helpful
5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

‎11-26-2008 09:20 AM

Your requirements seems as though it could be accomplish using DAP(Dynamic access

policies), I have not played yet with this feature so it is an educated guess.

Have a look here.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Rgds

Jorge

Jorge Rodriguez
0 Helpful

jerryben11
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎11-27-2008 06:22 PM

Thanks for your help.

I'm tring to config DAP(Dynamic access

policies), but it still didn't work. do u know is DAP working with LDAP or NT Domain authentication in AAA configuration? I've try to work with both LDAP and NT Domain, also not work.

Thank you!

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to jerryben11

‎11-27-2008 09:43 PM

It should, if you look at the same link I provided it should work with LDAP/AD environment.

This one is trikie to lab out or would take some time, but you could perhaps open a TAC case to get faster expert assistance on this feature and your requirements.

This is another DAP link with a little more detail.

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html

Jorge Rodriguez
0 Helpful

jerryben11
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎12-07-2008 11:05 PM

thanks! DAP have to consider later

Now i have problem on making the connection to other VPN peer site on webvpn.

when our client connect to the webvpn, i've set to assign a pool of ip address, but when i check the ipconfig from client notebook, i found that the ip address is from IPS, not the address from my pool, how can i check the webvpn session and is it using the address assigned by ASA?

i have the following commands:

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool bigpool

authentication-server-group SG1

authentication-server-group (inside) SG1

default-group-policy SSL_IT

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias Default disable

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 3600 retry 2

ip local pool bigpool 192.168.100.101-192.168.100.120 mask 255.255.255.0

0 Helpful

palomoj
Level 1
Level 1

‎12-08-2008 09:25 PM

You can accomplish this if you utilize Microsoft IAS or NPS for authentication to Active Directory. You can create the policies and dynamically set the VPN group & group-policy based on Active Directory security group membership. Each VPN group will utilize a group-policy with the appropriate VPN filter ACL applied.

I am mentioning Microsoft IAS or NPS since you didn't mention you have Cisco ACS (costs extra).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents