ACS5.1 and ASA8.2: mapping AD group to policy

Unanswered Question
Aug 10th, 2010
User Badges:

I'm trying to map vpn users to different group policies upon the group set in Active Directory (MemberOf).

Can anyone tell me how to do this? I've found some documents on the ACS4.x, but nothing on ACS5.1.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Przemyslaw Konitz Wed, 08/11/2010 - 06:09
User Badges:

its quite easy

first few steps are obvious but to have complete view:

1) ASA must have AAA server defined as RADIUS (which will be our ACS 5.1 server)

2) ACS must have  ASA device added in network device list

3) you must add external AD identity store and directory groups (retrived from AD)

for example

4) in "Policy Elements -> Network Access -> Authorization Profiles" add new profile (i.e. "vpn1-grupa") with RADIUS Attributes

GRUPA2 is the name of the group which will be assigned to the user on ASA (where banner and other attributes are assigned to tunnel-group)

note: I tried to use attribute dedicated for that purpose (RADIUS-CISCO VPN 3000/ASA/PIX 7.x-IPSec-Group-Name) but ASA didn't see it (actually dont now why )

5) create "access-service" type network access (i.e. "VPN-access")

6) add new "Service Selection Policy" rule with some condition and result of "VPN-access" service

7) in "VPN-access -> Identity" change identity source to AD1

8) in "VPN-access -> Authorization" tab create new rule with condition of "group name" (i.e. sevenet.lab/Users/OperatorFirmy1)

thats all

hope it helps - I tested it and works fine


biotron Wed, 09/22/2010 - 06:28
User Badges:


I tried that too with 8.3(1), vpn client5.0.07.0290  and certificate authentication  in conjuction with Tacacs authentication and Radius authorization (Tacacs ins't available yet).

cert : ok.

Tacacs authentication against AD1: o.k.

Radius authorization stops after selecting the right ID AD! store with:

    error 24408 User authentication against Active Directory failed since user has entered the wrong password.

Because every other profile (WLAN/dot1x) is working with the same user/password - even tacacs a second before - I have no idea how to solve that.




This Discussion