WEBVPN and AD group membership

Answered Question
Mar 11th, 2009

I desperately need some advice with my WEBVPN authentication design.

How would I restrict specific users to only connect to certain connection profile Aliases?

For instance. lets say I have GROUP A, GROUP B, and GROUP C as aliases, available on the drop-down menu of the SSL login screen. In AD, I have 3 Security groups named the same. How do I ensure that only members of the group A security group can authenticate to the GROUP A connection profile, and not the others. Ideally, I would like to accomplish this with Radius authentication, but I couldn't find an attribute that was passed along that I can prequalify against. Any and all suggestions are appreciated. Thanks.

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 9 months ago

You can use ldap mapping to authenticate your users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value that the ASA understands, this to enable group lock, which will only allow users belonging to a specific tunnel group/group policy to connect to that tunnel group/group policy.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ivan Martinon Wed, 03/11/2009 - 09:32

You can use ldap mapping to authenticate your users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value that the ASA understands, this to enable group lock, which will only allow users belonging to a specific tunnel group/group policy to connect to that tunnel group/group policy.

ryan.bachman Wed, 03/11/2009 - 14:11

Thanks for the suggestions. I went with an LDAP solution, but ditched the member of requirment. I just set up different aaa server-groups with different base DNs, since the accounts will be seperated by OUs anyhow.

However, I don't think I can use auto-signon with LDAP, correct? Would I need to configure an SSO server if I wanted to have a signle sign-on solution for cifs shares?

Thanks again for pointing me in the right direction.

Actions

This Discussion