Cisco ASA AnyConnect group policy assigned by Windows IAS/AD

Unanswered Question
Feb 4th, 2010
User Badges:

I'm looking to centralize all of the VPN account (AnyConnect / SSLVPN) via our Active Directory.  I would like to set up AD via IAS groups, based on security levels, and map those to the Cisco ASA group policy.  Furthermore, I would like to assign an IP Address Pool based on the group.

For example:

Active Directory (Group)      Cisco ASA VPN Group Policy       IP Address Pool
Security Level 1                     Security_Level_1               -

Security Level 2                     Security_Level_2               -

Security Level 3                     Security_Level_3               -

Security Level 4                     Security_Level_4               -

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jimsiff Sun, 02/21/2010 - 01:49
User Badges:

I've used IAS for remote access AAA, and it does work well.  For your requirements, I might suggest plugging into AD directly using LDAPS.  If you know your AD schema, it's not too difficult to get LDAP working.  With LDAP, you can use an LDAP map to map AD groups to ASA Group Policies.  You will also be able to prompt users to change their AD passwords when it nears expiration, which I'm not sure you can do via IAS/RADIUS.

The only thing you lose with LDAPS is Accounting.  If you need it, you can still run that back to IAS or ACS/TACACS+.

Hope this helps,



This Discussion

Related Content