08-10-2010 04:49 AM - edited 03-10-2019 05:19 PM
I'm trying to map vpn users to different group policies upon the group set in Active Directory (MemberOf).
Can anyone tell me how to do this? I've found some documents on the ACS4.x, but nothing on ACS5.1.
Thanks
Thomas
08-11-2010 06:09 AM
its quite easy
first few steps are obvious but to have complete view:
1) ASA must have AAA server defined as RADIUS (which will be our ACS 5.1 server)
2) ACS must have ASA device added in network device list
3) you must add external AD identity store and directory groups (retrived from AD)
for example
4) in "Policy Elements -> Network Access -> Authorization Profiles" add new profile (i.e. "vpn1-grupa") with RADIUS Attributes
GRUPA2 is the name of the group which will be assigned to the user on ASA (where banner and other attributes are assigned to tunnel-group)
note: I tried to use attribute dedicated for that purpose (RADIUS-CISCO VPN 3000/ASA/PIX 7.x-IPSec-Group-Name) but ASA didn't see it (actually dont now why )
5) create "access-service" type network access (i.e. "VPN-access")
6) add new "Service Selection Policy" rule with some condition and result of "VPN-access" service
7) in "VPN-access -> Identity" change identity source to AD1
8) in "VPN-access -> Authorization" tab create new rule with condition of "group name" (i.e. sevenet.lab/Users/OperatorFirmy1)
thats all
hope it helps - I tested it and works fine
regards
09-22-2010 06:28 AM
Hello,
I tried that too with 8.3(1), vpn client5.0.07.0290 and certificate authentication in conjuction with Tacacs authentication and Radius authorization (Tacacs ins't available yet).
cert : ok.
Tacacs authentication against AD1: o.k.
Radius authorization stops after selecting the right ID AD! store with:
error 24408 User authentication against Active Directory failed since user has entered the wrong password.
Because every other profile (WLAN/dot1x) is working with the same user/password - even tacacs a second before - I have no idea how to solve that.
Greetings
Olaf.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide