I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510:
access-list PublicVLAN_authentication remark Authenticate user from Hotspot (VLAN3) before allowing HTTP traffic
access-list PublicVLAN_authentication extended permit tcp 192.168.12.0 255.255.255.0 any eq www
aaa authentication match PublicVLAN_authentication PublicVLAN LDAP_HOTSPOT
aaa-server LDAP_HOTSPOT protocol ldap
aaa-server LDAP_HOTSPOT (inside) host XXXXXX
ldap-base-dn CN=Users, DC=XXXX,DC=XXX
This is working correctly and I can authenticate all users in my domain.
Now I've created a new LDAP Group named http_authorized_users and I've associated users who are permitted to surf the web to it.
How can I specify to authenticate just users member of a specific LDAP group?
As you can see in the image I've my group and I've associated the user TestInterno, but how can I modify my LDAP_HOTSPOT to authenticate just user who are member of the http_authorized_users group (in the example below just the user TestInterno is associated to the group)?
If not possible with LDAP, which other solution may I have to do this?
Thanks a lot!