Thanks Kevin for the response.

With this scenario I would be using AD authentication, either with LDAP or Kerberos and then authorize the user with LDAP to provide them will a role mapping.

The scenario I'm looking at is using the accounting packets from the ASA to map the user into a NAC role. The user will already be authorized by LDAP when logging into the ASA, I'm trying to save a step by avoiding yet a 2nd authorization to LDAP. My Auth provider in this scenario would be VPN SSO.

Thanks.

Yes, ASA can send radius accounting info to NAC for mapping to the role.

The group info should be included in radius class 25.

Kevin,

Thanks for the response. Radius class 25 will contain the tunnel-group name associated to the user?

It's not tunnel-group name.

checked the link below

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a008089149d.shtml

Basically, you need configure "ldap attribute-map" on ASA to map group attribute which is sent to ASA by LDAP server to Radius class. The value of that "group attribute" would be the value of Radius class 25. it's nothing related to tunnel-group name.

Hi Kevin,

If a user called userA who is a member of group groupA in LDAP, I can map the "memberOf" attribute to radius "class"  using a LDAP MAP on the ASA and this class will be forwarded in a radius accounting packet to the NAC so I can make a role mapping?

My customer plans on having about 12 - 14 tunnel groups, all but one using VPN SSO. The other will be using Windows AD SSO with Kerberos. The plan is to have the ASA perform all the authentication and authorization and send the radius accounting packet to the NAC for SSO where I can also perform the role mapping.

Thanks.

Yes, you are correct.

Saying LDAP server returns the group info of "UserA" in memberof attribute, it's value is "groupA".

You configure ASA to map "memberof" attribute value "groupA" to Radius class attribute value "group-policyA", where "group-policyA" is a group-policy cy name configured on ASA. ASA will send Radius accounting packet including Radius class attribute with value "group-policyA" to NAC. You can use it to do role mapping. HTH.

Thanks for your help Kevin.

I'm working with some folks on cabling the NAC appliance. As I have already mentioned this will be used in conjunction with a Cisco ASA to perform posture against the VPN users. I plan to deploy this in VGW mode with L3 support. Do you see any issues with cabling the ASA directly to the untrusted interface on the CAS? Available switch ports are the main reason for this discussion.

How would the VLAN mapping work in this instance? Would I need a trunk interface on the ASA to pass the necessary VLAN tags?

If you connect ASA to CAS directly, I think you have to use subinterface on ASA with related VLAN assigned. In this way, ASA can send the packet with the correct vlan tag.