07-05-2010 12:39 AM - edited 03-10-2019 05:14 PM
Good morning,
I need to assign diferent authorization profiles to remote users based on their active directory group.
I have read that cannot use identity-based condition in a service selection rule.
Any idea how can achieve it if remote users auth request are coming from the same ASA and cannot differentiate by active directory they belong?
Thanks and best regards
Fran
07-08-2010 08:39 PM
First define your External Identity Stores, Active Directory - Directory Groups for the relevant AD groups you want to classify people by, then under group mapping for the Access policy define rules matching the AD group to the identity group you want (defined under users and identity stores/ identity groups)
07-08-2010 08:46 PM
Sorry after reading your question a again - for authorization - same setup for AD group definition, but rules under the Access service policy, Authorization section with rules to match the AD group - with different auth policies tied to them
07-09-2010 12:49 AM
Good morning,
I have mapped Active directory groups, I have defined some authorization profiles access for different groups and location to send the ASA radius atributes (group policy atribute 55, and split-tunnel list)
The problem is how can I differentiate in the service selection rules which rule match a A.D group. In a service rule selection cannot use identity-based condition.
Best regards
Fran
07-12-2010 04:10 PM
Yep exactly - you cant use service selection - you have to use service selection to choose your VPN access service you created (as simple as "match radius from device type VPN Concentrators"
Then the policies under the VPN access service define the link between AD groups and auth profiles that you want
So under your VPN access service
- under identity you would choose your AD (single result selection)
- under group mapping you would have rules for each group you want to choose from based on AD of the form AD-AD1:ExternalGroups contains any
- finally under authorization you would have rules for each group of the form AD-AD1:ExternalGroups contains any
Good luck. Main point- its not service selection you do this under, its the access service policy selected by the service selection - just have one for VPN and under it choose the group and auth profile.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: