03-11-2009 08:28 AM - edited 02-21-2020 03:20 AM
I desperately need some advice with my WEBVPN authentication design.
How would I restrict specific users to only connect to certain connection profile Aliases?
For instance. lets say I have GROUP A, GROUP B, and GROUP C as aliases, available on the drop-down menu of the SSL login screen. In AD, I have 3 Security groups named the same. How do I ensure that only members of the group A security group can authenticate to the GROUP A connection profile, and not the others. Ideally, I would like to accomplish this with Radius authentication, but I couldn't find an attribute that was passed along that I can prequalify against. Any and all suggestions are appreciated. Thanks.
Solved! Go to Solution.
03-11-2009 09:32 AM
You can use ldap mapping to authenticate your users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value that the ASA understands, this to enable group lock, which will only allow users belonging to a specific tunnel group/group policy to connect to that tunnel group/group policy.
03-11-2009 09:32 AM
You can use ldap mapping to authenticate your users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value that the ASA understands, this to enable group lock, which will only allow users belonging to a specific tunnel group/group policy to connect to that tunnel group/group policy.
03-11-2009 02:11 PM
Thanks for the suggestions. I went with an LDAP solution, but ditched the member of requirment. I just set up different aaa server-groups with different base DNs, since the accounts will be seperated by OUs anyhow.
However, I don't think I can use auto-signon with LDAP, correct? Would I need to configure an SSO server if I wanted to have a signle sign-on solution for cifs shares?
Thanks again for pointing me in the right direction.
03-11-2009 04:06 PM
Mhhh I am not a Windows guy, but one of the requirements is for your system to support NTLM v1
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9ff.shtml#req
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide