09-02-2010 03:41 PM - edited 03-11-2019 11:34 AM
Hello:
I have an ASA5520. Currently I have client VPNs coming into it. They authenticate via RADIUS to a Microsoft IAS server. The ASA has 2 licenses for SSL VPN. I want them reserved for my IT staff. I configured the AAA Server Group on it to point to the IAS server. The way IAS works is you create access policies for users to authenticate to. The first group they authenticate to is the one they use. Does anyone know how to configure the ASA so I can have 2 different groups for authentication? Do I need to go to LDAP?
Harrison Midkiff
09-03-2010 06:13 PM
You can configure 2 AAA servers, and create 2 tunnel-groups and 2 group-policy, and basically you can assign AAA server 1 on tunnel-group 1, and AAA server 2 on tunnel-group 2.
Are you going to use 2 different authentication servers for 2 different users? ie: SSL VPN uses local authentication, and IPSec VPN uses radius/IAS server for authentication? I am just trying to understand what you are trying to achieve.
09-07-2010 08:19 AM
Thanks for replying to my post.
Basically I want users to log into VPN and SSL VPN based on group membership in AD. If a user is a member of a group called "VPN Users" they would have access to login via the software VPN client. If a user is a member of a group called "SSL VPN Users" they would have access to login via SSL. A user could be a member of one or the other or both. When you use a RADIUS server its authentication is pretty simple. You create access policies and as long as you are a member of one of them you will get authenticated. That is the problem. I could do 2 different RADIUS servers but that would tend to make things a little messy and hard to manage.
Any suggestions you have would be greately appreciated.
Harrison Midkiff
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: