Windows Group membership for AAA on PIX or ASA

tom.brockman · ‎08-13-2009

Is it possible to tie Windows AD group membership to authentication for a particular VPN connection profile on PIX/ASA?

I am using Windows IAS for RADIUS to authenticate VPN users. I have configured IAS to require that users are a member of the AD group "RemoteAccess". This works fine, but is applied against all connection profiles on the PIX/ASA. I would like to find a way to make this more granular.

For example, a remote user with the connection profile "VPN1" could only authenticate if a member of the Active Directory group "VPN Group 1". Other users would be issued a different connection profile "VPN2" and could only authenticate if a member of a different AD group "VPN Group 2" (each connection profile would have a different encryption domain, restricting which networks and hosts the user can tunnel to).

It looks to me that using IAS for RADIUS with PIX/ASA is an all or nothing proposition (as far as AD group membership is concerned). The IAS Remote Access policy can require membership in a particular AD group, but this policy is applied against all RADIUS authentication attempts.

I'd like to have the PIX/ASA be able to send AAA requests to the same IAS server for all connection profiles and have these evaluated differently for AD group membership (connection profile "VPN1" requires AD group "VPN Group 1", connection profile "VPN2" requires AD group "VPN Group 2", etc.).

Is this possible?

Thanks in advance for any suggestions.

Report Inappropriate Content · ‎08-19-2009

The URL below provides a sample configuration for SSL VPN clients (SVC) that connect to Cisco 5500 Series Adaptive Security Appliance (ASA) and then get mapped to different VPN group policies based on a response from a Microsoft Lightweight Directory Access Protocol (LDAP) server. The ASA 7.2.2 software provides LDAP attribute mapping, which allows attributes that are sent from the LDAP server to be mapped to attributes recognized by the ASA, such as IETF RADIUS attribute 25 (Class).

In this example, users who are allowed â€œdial-inâ€ access in the AD/LDAP server are mapped to the â€œALLOWACCESSâ€ group policy, and the users who are not allowed â€œdial-inâ€ access are assigned to the â€œNOACCESSâ€ group policy on the ASA. The â€œNOACCESSâ€ group policy has the number of allowed VPN sessions set to 0, which causes the user connection to fail.

Note: This configuration uses the SSL VPN client, but the same principles can be applied to group policies used for other VPN clients. Moreover, this configuration can be used for purposes other than to deny VPN access

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#intro

tobyhouser · ‎03-23-2010

" I'd like to have the PIX/ASA be able to send AAA requests to the same IAS server for all connection profiles and have these evaluated differently for AD gr

oup membership (connection profile "VPN1" requires AD group "VPN Group 1", connection profile "VPN2" requires AD group "VPN Group 2", etc.)."

I have this same requirement .. and it doesn't seem the question has been answered yet. Using Microsoft IAS as the auth server, how do I get the ASA (v.8.2.1) to take different user groups defined in AD, and control access to different group policies on the VPN? We're setting up the ASA for many different vendors, and need to control access for each vendor with different policy. For example, Vendor one is in AD group Vendor1 and will only be permitted access to a group of defined IPs in our network. Vendor two is in AD group Vendor2 and will only be permitted access to a different group of defined IPs in our network from Vendor1.

How is this done, preferably with just Windows IAS (RADIUS) and built in ASA SSL VPN and AnyConnect controls.