First define your External Identity Stores, Active Directory - Directory Groups for the relevant AD groups you want to classify people by, then under group mapping for the Access policy define rules matching the AD group to the identity group you want (defined under users and identity stores/ identity groups)
Sorry after reading your question a again - for authorization - same setup for AD group definition, but rules under the Access service policy, Authorization section with rules to match the AD group - with different auth policies tied to them
I have mapped Active directory groups, I have defined some authorization profiles access for different groups and location to send the ASA radius atributes (group policy atribute 55, and split-tunnel list)
The problem is how can I differentiate in the service selection rules which rule match a A.D group. In a service rule selection cannot use identity-based condition.
Yep exactly - you cant use service selection - you have to use service selection to choose your VPN access service you created (as simple as "match radius from device type VPN Concentrators"
Then the policies under the VPN access service define the link between AD groups and auth profiles that you want
So under your VPN access service
- under identity you would choose your AD (single result selection)
- under group mapping you would have rules for each group you want to choose from based on AD of the form AD-AD1:ExternalGroups contains any with a resultant identity group that you have defined in ACS
- finally under authorization you would have rules for each group of the form AD-AD1:ExternalGroups contains any with a resultant authorisation profile you wish to have tied to that group.
Good luck. Main point- its not service selection you do this under, its the access service policy selected by the service selection - just have one for VPN and under it choose the group and auth profile.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...