Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

Authentication based on AD group for each VPN group

How can I configure my ASA 5520 to authenticate each VPN group if the user are in an specific AD group.

For exemple I have 2 VPN groups:

Accounting

sales

And I want each user to authenticate only if he is within his/her specified AD group. And I'm using windows IAS for radius authentication.

  • AAA Identity and NAC
4 REPLIES
Bronze

Re: Authentication based on AD group for each VPN group

This is actually very interesting. Did you find a method to get this working?

Re: Authentication based on AD group for each VPN group

Hi,

Keep radius between IAS and ASA.

Then configure IAS to get the radius users from AD (through LDAP i think).

Please rate if this helped.

Regards,

Daniel

New Member

Re: Authentication based on AD group for each VPN group

You can use the group lock feature at

Group Policy

First you should use different Group Policy for each of the Tunnel Group. And then edit Group Policy to support Group Lock.

Group Lock is at IPSec parameters Tab of Group Policy

And you should use group name as OU parameter at user profile at AAA server

Here is sample user profile ehich is configured to use test.vpn as group name.

for Cisco Secure Unix

user = testuser@ssl.vpn{

profile_id = 128911

set server current-failed-logins = 1

profile_cycle = 6

member = test.vpn

password = chap "********"

password = pap "********"

radius=Cisco {

reply_attributes= {

25="OU=test.vpn"

Bronze

Re: Authentication based on AD group for each VPN group

I will give that a try thanks for the input. You think i can use the same mechanic to authenticate users for AD and shell access based on group membership.

I use IAS and RADIUS for vpn auth and shell access auth but haven't been able to make sure that vpn authed users have no access to the ASA shell.

eg. group membership or OU -> NetAdmins = Shell

or group membership or OU -> VPNUsers = VPN Auth.

Roble

154
Views
10
Helpful
4
Replies