ā08-11-2010 01:00 PM
We have an ASA configured with sslvpn and using AnyConnect clients. Currently we authenticate via LDAP and automatically set the group-policy value via an LDAP value. We have several groups with unique IPs and therefore special access due to their assigned IP address.
We'd like to add SecureID authentication for some of these groups. I've set up a second profile with double authentication, using LDAP with group assignen and that works fine.
The issue we are facing is that I can find no way to limit access to the double authentication groups from the standard profile, because both profiles are authenticating to the same LDAP server, and the LDAP policy map is configured with the LDAP server.
So all the groups are accessible (with the right credentials) from both the standard single auth profile and the double-auth profile, and there's no way to force the use of the double-auth profile- at least none that I can find.
thanks for any thoughts on this.
Lynne
ā08-12-2010 03:22 PM
Lynne,
I'm sorry I might be a bit lost in the description (late at night here).
Would this be anything close to what you're lookink for?
authentication-attr-from-server Specify the authentication server that
provides authorization attribute for
the session
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a2.html#wp1644911
Marcin
ā08-16-2010 05:40 AM
Thanks for the suggestion, but that's not really what we need.
The double authentication IS working. The problem is that both the
single auth and double auth profiles use the same LDAP server in order
to get NetIDs placed in the proper VPN groups. Therefore both profiles
share the same LDAP Attibute Map, which means that there's no way to
force someone to choose the double-auth profile, since they can still
access 'their' group by using the single-auth profile...
I can't find any way to use the same LDAP server with different LDAP
attribute maps on the same ASA.
It seems like we would need either a different LDAP server with a unique
attribute map for the double-auth profile OR a separate ASA with the
same LDAP server but again a unique attribute map.
thanks,
Lynne
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: