ASA: group lock with NT-Domain authentication.

Answered Question
Jul 20th, 2009

Hi!

We have one ASA5510. I set two group for remote vpns, and both uses NT-domain authentication. How can I set tunnel-group lock for the users in both group.

How can I lock the user to the group. Is there any configuration in Active Directory to set group for users.

I don't know what is the solution, I have found nothing.

Please help, thank you!

Gabor

I have this problem too.
0 votes
Correct Answer by Todd Pula about 7 years 4 months ago

The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Todd Pula Mon, 07/20/2009 - 06:09

There are a few ways that this can be accomplished. You can statically configure a connection profile lock on the respective group policy that the users are being assigned to. You could also use an LDAP attribute map to match a particular field in AD. For example, you configure your ASA connection profiles to match internal departments. Users in AD who are part of the Engineering department should get locked to the Engineering connection profile. You can achieve this type of configuration using the following:

ldap attribute-map Tunnel-Lock

map-name department Tunnel-Group-Lock

hegegabor Tue, 07/21/2009 - 00:52

Hi, Todd!

Thank you! this is what i want.

(please post a message to close this topic - I failed the rating)

thanks Gabor

hegegabor Tue, 07/21/2009 - 02:17

Hi,

Something is not clear.

In the example what is the "department" on the AD? What means particular field? do I have to enlarge the AD schema?

or what?

Correct Answer
Todd Pula Tue, 07/21/2009 - 06:56

The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.

Actions

This Discussion