ASA: group lock with NT-Domain authentication.

Answered Question
Jul 20th, 2009
User Badges:

Hi!


We have one ASA5510. I set two group for remote vpns, and both uses NT-domain authentication. How can I set tunnel-group lock for the users in both group.

How can I lock the user to the group. Is there any configuration in Active Directory to set group for users.



I don't know what is the solution, I have found nothing.


Please help, thank you!

Gabor


Correct Answer by Todd Pula about 7 years 9 months ago

The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Todd Pula Mon, 07/20/2009 - 06:09
User Badges:
  • Silver, 250 points or more

There are a few ways that this can be accomplished. You can statically configure a connection profile lock on the respective group policy that the users are being assigned to. You could also use an LDAP attribute map to match a particular field in AD. For example, you configure your ASA connection profiles to match internal departments. Users in AD who are part of the Engineering department should get locked to the Engineering connection profile. You can achieve this type of configuration using the following:


ldap attribute-map Tunnel-Lock

map-name department Tunnel-Group-Lock

hegegabor Tue, 07/21/2009 - 00:52
User Badges:

Hi, Todd!

Thank you! this is what i want.


(please post a message to close this topic - I failed the rating)


thanks Gabor

hegegabor Tue, 07/21/2009 - 02:17
User Badges:

Hi,

Something is not clear.


In the example what is the "department" on the AD? What means particular field? do I have to enlarge the AD schema?


or what?

Correct Answer
Todd Pula Tue, 07/21/2009 - 06:56
User Badges:
  • Silver, 250 points or more

The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.

Actions

This Discussion