I will be building a new RAS solution for a customer. Users will authenticate using RSA SecurID to the ASA. I will be using LDAP to map these users into group policies on the ASA. Behind the ASA I will have a CAS in Virtual Gatway mode. Once the users are authenticated agains the ASA I will use VPN SSO to automatically authenticate the user against the NAC infastructure.
My question is this. Is it possible to map users to NAC roles based on the group-policy assigned by the ASA to a NAC role using accounting packets from the ASA? I cannot find specific examples on how to do this with just the ASA and the NAC appliance without introducing ACS.
User A authenticates to the ASA using SecurID and is mapped to the group policy "employees" by LDAP - I would like them to be dynamically mapped to a NAC role called employees by the accounting packets from the ASA. If its possible, which attribute would hold the group policy info?
I am open to other ideas as well.