I am in the process of rebuilding my ASA 5510 8.0(5) firewall configs and I am up to the point of building the remote-access VPN tunnels.
Now I am not sure if this is possible without a RADIUS or a VPN Concentrator but I figured I would try.
What I am attempting to do is use Active Directory to determine how a user connects in.
So based on the AD group the person belongs to, is what SSL VPN they can connect to.
The 3 connections are going to be:
Full VPN Tunnel
Tunnel into an OWA server
Tunnel into a Terminal Server
For some complicated reasons I am unable to put my Exchange or Terminal Server in the DMZ, so rather than having pin-holes from my External Connection directly to my Exchange and Terminal Server I figured I would just use the ASA and a VPN tunnel to connect to those services, along with the full VPN access.
So far this is as far as I have gotten (hardly anywhere):
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (internal) host 10.1.1.1
ldap-base-dn dc=test, dc=com
ldap-login-dn cn=LDAPPerson, cn=Service Users OU, cn=Standard Users, dc=test, dc=com
ldap attribute-map LDAPSSLMap
map-name memberOf VPN Access Grp
map-value memberOf cn=VPN Access Grp, OU=VPN OU, OU=Security Groups, DC=test, DC=com SSLVPNPolicy
map-value memberOf cn=OWA Access Grp, OU=VPN OU, OU=Security Groups, DC=test, DC=com SSLOWAPolicy
map-value memberOf cn=TS Access Grp, OU=VPN OU, OU=Security Groups, DC=test, DC=com SSLTSPolicy
I started to try to configure the VPN tunnels but I couldn't figure out how to determine which Policy to use based on the authentication the user uses. Hence why I am unsure whether this is even possible.
I have done something similar with SSL where I have the user log in and it sends them directly to a Terminal Server window and asks for an IP address for the server (using AAA). With this setup is there a way to directly send them to the Terminal Server wihtout them having to put in the IP address?
Also is it possible if they belong to both the TS and OWA group that they are prompted for which they want to connect to (either the TS or OWA)?
I will keep playing with this to see if I can figure out what needs to be done. If I find a solution I will post it, but any assistance with this would be greatly appreciated.