I have configured the acs box properly with all the command sets, shell profiles and authorization rules. Local authorization works well but I am now trying to use the AD to authenticate. I have joined the domain.
When I try to log into the devices now, it does not work using my domain user ID's. but when I specify the following
condition - AD1:UserPrincipalName, shell profile and assign a command set it works. My problem is that I don't want to create a rule per user (as it is required if i user :condition - AD1:UserPrincipalName) neither do I want to apply the rule to the groups in AD.
Can I mapp the AD groups to the Local groups?
can I apply the rule using the object : AD1:memberOf with the "CONTAIN" option? When I try this, it does not work. (I.e AD1:memberOf : contain (CN=marketing)
Are there any documentation that clearly explain the steps for configuring external database?
I have looked at most Cisco documentation on this but I don't mind, I would still go through any one you recommend.
If you have the users defined in a group in AD, you can map that group in ACS and then use it in an Authorization profile.
For example, specific users we want to allow to connect thru our access points.
Under External Identity Store -> Active Directory, on the 2nd tab (Directory Groups) chose select. then you can search for the group you are wanting to be able to map to.
Under Access Policies, chose the appropriate Access service policy. Set the Identity to AD. Under authorization, click the customize button and AD:External Groups. Now when you create the rule, you can have it Permit Access for the specific group. Change the "default" for the Authorization to deny all. That will allow people matching that rule access and deny others that meat just the AD member requirement.
Thank you so much for your reply. I have tried this but it does not work.
This is what I did :
I followed you step and selected both AD1:External Groups and AD1:member when I customized the authorization menu. The issue is that My organisation did not group each user by department but rather by some other methods so you could have a user in one department in a different AD group but in the Attribute tab of External user database, I have selected the "member of" option so I could use this as all users are well grouped here.
When configuring access policies, i try to use this field. I choose the "AD1:member off" attribute and select the "contain" option and fill the space with something like this
exactly the way it is in AD.
when I try to authenticate, it does not.
When i select the AD1:userPrincipalName attribute and fill in the name, it works and applies the exact policies.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...