Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS5.1 and ASA8.2: mapping AD group to policy

I'm trying to map vpn users to different group policies upon the group set in Active Directory (MemberOf).

Can anyone tell me how to do this? I've found some documents on the ACS4.x, but nothing on ACS5.1.



New Member

Re: ACS5.1 and ASA8.2: mapping AD group to policy

its quite easy

first few steps are obvious but to have complete view:

1) ASA must have AAA server defined as RADIUS (which will be our ACS 5.1 server)

2) ACS must have  ASA device added in network device list

3) you must add external AD identity store and directory groups (retrived from AD)

for example

4) in "Policy Elements -> Network Access -> Authorization Profiles" add new profile (i.e. "vpn1-grupa") with RADIUS Attributes

GRUPA2 is the name of the group which will be assigned to the user on ASA (where banner and other attributes are assigned to tunnel-group)

note: I tried to use attribute dedicated for that purpose (RADIUS-CISCO VPN 3000/ASA/PIX 7.x-IPSec-Group-Name) but ASA didn't see it (actually dont now why )

5) create "access-service" type network access (i.e. "VPN-access")

6) add new "Service Selection Policy" rule with some condition and result of "VPN-access" service

7) in "VPN-access -> Identity" change identity source to AD1

8) in "VPN-access -> Authorization" tab create new rule with condition of "group name" (i.e. sevenet.lab/Users/OperatorFirmy1)

thats all

hope it helps - I tested it and works fine


New Member

Re: ACS5.1 and ASA8.2: mapping AD group to policy


I tried that too with 8.3(1), vpn client5.0.07.0290  and certificate authentication  in conjuction with Tacacs authentication and Radius authorization (Tacacs ins't available yet).

cert : ok.

Tacacs authentication against AD1: o.k.

Radius authorization stops after selecting the right ID AD! store with:

    error 24408 User authentication against Active Directory failed since user has entered the wrong password.

Because every other profile (WLAN/dot1x) is working with the same user/password - even tacacs a second before - I have no idea how to solve that.