Cisco ASA AnyConnect group policy assigned by Windows IAS/AD

Unanswered Question
Feb 4th, 2010

I'm looking to centralize all of the VPN account (AnyConnect / SSLVPN) via our Active Directory.  I would like to set up AD via IAS groups, based on security levels, and map those to the Cisco ASA group policy.  Furthermore, I would like to assign an IP Address Pool based on the group.

For example:

Active Directory (Group)      Cisco ASA VPN Group Policy       IP Address Pool
Security Level 1                     Security_Level_1                        192.168.1.1 - 192.168.1.10

Security Level 2                     Security_Level_2                        192.168.2.1 - 192.168.2.10

Security Level 3                     Security_Level_3                        192.168.3.1 - 192.168.3.10

Security Level 4                     Security_Level_4                        192.168.4.1 - 192.168.4.10

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jimsiff Sun, 02/21/2010 - 01:49

I've used IAS for remote access AAA, and it does work well.  For your requirements, I might suggest plugging into AD directly using LDAPS.  If you know your AD schema, it's not too difficult to get LDAP working.  With LDAP, you can use an LDAP map to map AD groups to ASA Group Policies.  You will also be able to prompt users to change their AD passwords when it nears expiration, which I'm not sure you can do via IAS/RADIUS.


The only thing you lose with LDAPS is Accounting.  If you need it, you can still run that back to IAS or ACS/TACACS+.


Hope this helps,


Jim

Actions

This Discussion

Related Content