Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
2
Replies

SSL VPNs authentication to Microsoft IAS

HMidkiff
Level 1
Level 1

‎09-02-2010 03:41 PM - edited ‎03-11-2019 11:34 AM

Hello:

I have an ASA5520.  Currently I have client VPNs coming into it.  They authenticate via RADIUS to a Microsoft IAS server.  The ASA has 2 licenses for SSL VPN.  I want them reserved for my IT staff.  I configured the AAA Server Group on it to point to the IAS server.  The way IAS works is you create access policies for users to authenticate to.  The first group they authenticate to is the one they use.  Does anyone know how to configure the ASA so I can have 2 different groups for authentication?  Do I need to go to LDAP?

Harrison Midkiff

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-03-2010 06:13 PM

You can configure 2 AAA servers, and create 2 tunnel-groups and 2 group-policy, and basically you can assign AAA server 1 on tunnel-group 1, and AAA server 2 on tunnel-group 2.

Are you going to use 2 different authentication servers for 2 different users? ie: SSL VPN uses local authentication, and IPSec VPN uses radius/IAS server for authentication? I am just trying to understand what you are trying to achieve.

0 Helpful

HMidkiff
Level 1
Level 1
In response to Jennifer Halim

‎09-07-2010 08:19 AM

halijenn

Thanks for replying to my post.

Basically I want users to log into VPN and SSL VPN based on group membership in AD.   If a user is a member of a group called "VPN Users" they would have access to login via the software VPN client.  If a user is a member of a group called "SSL VPN Users" they would have access to login via SSL.  A user could be a member of one or the other or both. When you use a RADIUS server its authentication is pretty simple.  You create access policies and as long as you are a member of one of them you will get authenticated.  That is the problem.  I could do 2 different RADIUS servers but that would tend to make things a little messy and hard to manage. 

Any suggestions you have would be greately appreciated.

Harrison Midkiff

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card