Apply VPN group policy or group lock with AD via IAS/RADIUS?
Running ASA 7.2(2) and wondering how it is possible to apply authorization policies to an incoming ipsec remote access connection. There is an existing backend RADIUS service running Microsoft IAS in an Active Directory domain. I have got the blanket user authentication/authorization working from AD but I need to tighten it up restricting users to a specific tunnel-group and/or group-policy
I want to apply the equivalent of the ASA local vpn group-lock (where the user is restricted to a specific tunnel-group) enforced from AD via RADIUS. If this isn't possible I guess an equivalent restriction could be enforced using group-policy? From this documentation it seems possible using RADIUS...
"from an external RADIUS/LDAP server by the value of the RADIUS CLASS attribute (25) in the format OU=GroupName;"
What I don't know is the magic incantation needed in IAS to map something in Active Directory onto RADIUS attribute 25. You might be able to guess I'm not an AD person.
I have seen the ASA LDAP functionality where cVPN3000-IETF-* attribute matching is used but want to fully explore/exhaust the possibilty of using the existing RADIUS service for group-policy and ideally group-lock authorization. (Can group-lock even be enforced by RADIUS?)
Re: Apply VPN group policy or group lock with AD via IAS/RADIUS?
Vivek, thanks for your reply. As mentioned I'm trying to integrate ASA remote access VPN in with Microsoft Active Directory via IAS. How can I configure RADIUS Attribute 25 on IAS to recv a value from AD and fwd it on to the ASA?
What I'd really like confirmed first is whether group-lock functionality is available from AD through RADIUS?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...