09-14-2009 05:57 AM
I'm in the process of doing an SSL VPN configuration for a customer who wants to integrate the SSL VPN authentication with Active Directory. They want to be able to give each group in AD specific access rights. Essentially do access-lists per a group-policy straight from the firewall to LDAP. The customer doesn't have ACS so I can't use downloadable acl's. I'm familiar with user authentication to LDAP or RADIUS on the firewall, what I haven't done before is map LDAP group to a group policy on the firewall without using ACS.
Has anyone ever done this or know if it can be done with IAS?
09-14-2009 09:09 AM
You mention firewall so I am assuming you are deploying an ASA. There are a few different ways you can assign LDAP users to a group policy. You can then configure a tunnel group lock and network filter on the respective group policy. Another more flexible solution is to use DAP.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
09-14-2009 10:16 AM
beautiful... i was on the right track then. Thanks for your help. I have some of this configured already. I've read the first 2 guides in the past several times, but have never seen the DAP guide.
Thank You
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: