Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

WebVPN (clientless) + Windows Auth

Hi All,

I've configured SSLVPN on Cisco ASA 5540 to authenticate using Windows AD by providing DomainController information. Though the authentication is working, I'm bit concerned about the security as this method of authentication mechanism would expose remote access to every other account on Windows AD (including service accounts).

Is there a mecahnism / way to restrict the authenticate to specific group of users while using Windows AD for authentication on Cisco ASA for SSLVpn?

Please note: There is no ACS server available on the network.

Appreciate quick help on this,

New Member

Re: WebVPN (clientless) + Windows Auth

You can setup Dynamic Access Policies and configure it for a particular AD Security Group. You would need to map the LDAP memberOf field to the AD Security Group name.


New Member

Re: WebVPN (clientless) + Windows Auth

Hi Josh,

Thanks for this excellent suggestion. Though would like to know if I need to enable LDAP authentication for WebUsers OR still live with Windows Auth using the following commands..

aaa-server ADdomain protocol nt

aaa-server ADdomain host

nt-auth-domain.controller dc1


New Member

Re: WebVPN (clientless) + Windows Auth


another way might be to configure a MS IAS server on one of your Windows Servers.

Creating Remote Access policys and using the IAS as a Radius server might have a advantage that You can use it for more then just Web VPN, like perhaps 802.1x on WLANs etc.

Another would be that it might be easier to create multiple and different access policys for different AD-security groups.

Hope this helps in some way

CreatePlease to create content