I have an ASA, an ACS appliance, Active Directory, and RSA securID. SSL users should only authenticate with AD, while IPSec users should only authenticate with RSA. Not yet using anyconnect.
here is my scenario:
ACS -- AD - Dynamic users are created in ACS when authenticated with their AD domain login/password
ACS -- AD - AD Group mapping to put user in the correct ACS group
ASA SSL - matches username in ACS group to display customized SSL bookmarks
all looks good
ACS -- RSA - static users in ACS assigned to RSA group in ACS configured for authentication with external RSA DB
ASA IPSec - Authenticates with ACS
Question: How does the ASA or ACS know to authenticate IPSec users ONLY via RSA and SSL users only via AD?
What do I have to do to not allow a windows user to simply enter their AD login/password into thei IPSec client and login. I could see this become common with users who dont have their keyfob handy or forget to use it.
A NAP, also known as a profile, is essentially a classification of network-access requests for applying a common policy. You can use NAPs to aggregate all policies that should be activated for a certain location in the network. Alternatively, you can aggregate all policies that handle the same device type, for example, VPNs or Access Points (APs).
Thanks, I will review the link and other NAP info. I also heard about using the IETF RADIUS Attributes # 25 class to set this to match the profile name in the ASA. Will this do the trick and only allow users in the correct groups to authenticate and/or be allowed or denied by group membership?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :