I've been racking my brain over this for a few days, and it's just not coming to me. I'll try and be as suscinct as possible. I'm in the process transitioning my users from IPSEC to SSL web/client VPN. During this process, I want to limit users to what they need to get to only.
ASA Firewall configured for SSL VPN and IPSEC VPN (8.2.1)
Cisco ACS for Windows (4.2)
Windows Active Directory Domain
We have multiple departements that will each need different levels of access. We currently have one group of users that belong to an AD group that is mapped to an ACS group. Everthing happens just fine for the IPSEC VPN and SSL VPN as it is. The problem I'm running in to is adding adding a new group(s) to the mix and getting the correct checks in place for membership to that group.
Example: If you are in the AD group OWA, you should only have access to OWA when you log in to SSL VPN.
Example: If you are in the AD group Marketing, you should have access to shares and resources that are predefined.
There could be up to 10 groups.
I've added a new group to the ACS server and mapped it to the corresponding group. But I guess I'm not understanding how to get from the ASA --> ACS to check for membership to that group. I've tried DAP from the ASA with checks against Radius attribs - but it fails. I just feel like I'm missing something in the ACS server I need to do first.
Thanks in advance for help.
When checking groups, the ASA only reads the Class attribute from the ACS access-accept packet, depending on this class value the asa will map you to a certain Group policy as your configuration might say.
ACS will read the first memberOf value retreived from the AD profile and maps the user to the group accordingly, so if you have multiple groups on a single user it will always match the first one on the list (don't ask me what is the order which AD sends the group to the ACS)
From the first statement, I can think that you will need as many group policies as functions you need and based on the class value they will be mapped to this group policy and then these functions will be enabled. This I believe can be done with plain radius authentication and radius atts or with DAP (dap gives you further customization options) as well you can skip ACS and use ASA--ldap---AD) and use memberOf attributes.
Let me know if this makes any sense at all.