Solved: ASA: group lock with NT-Domain authentication.

hegegabor · ‎07-20-2009

Hi!

We have one ASA5510. I set two group for remote vpns, and both uses NT-domain authentication. How can I set tunnel-group lock for the users in both group.

How can I lock the user to the group. Is there any configuration in Active Directory to set group for users.

I don't know what is the solution, I have found nothing.

Please help, thank you!

Gabor

Todd Pula · ‎07-21-2009

The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.

View solution in original post

Todd Pula · ‎07-20-2009

There are a few ways that this can be accomplished. You can statically configure a connection profile lock on the respective group policy that the users are being assigned to. You could also use an LDAP attribute map to match a particular field in AD. For example, you configure your ASA connection profiles to match internal departments. Users in AD who are part of the Engineering department should get locked to the Engineering connection profile. You can achieve this type of configuration using the following:

ldap attribute-map Tunnel-Lock

map-name department Tunnel-Group-Lock

hegegabor · ‎07-21-2009

Hi, Todd!

Thank you! this is what i want.

(please post a message to close this topic - I failed the rating)

thanks Gabor

hegegabor · ‎07-21-2009

Hi,

Something is not clear.

In the example what is the "department" on the AD? What means particular field? do I have to enlarge the AD schema?

or what?

Todd Pula · ‎07-21-2009

The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.

hegegabor · ‎07-21-2009

Ok! thank you, I found this field in AD.

There is a good guide here:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html

bye, Gabor