Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SSL VPNs authentication to Microsoft IAS

Hello:

I have an ASA5520.  Currently I have client VPNs coming into it.  They authenticate via RADIUS to a Microsoft IAS server.  The ASA has 2 licenses for SSL VPN.  I want them reserved for my IT staff.  I configured the AAA Server Group on it to point to the IAS server.  The way IAS works is you create access policies for users to authenticate to.  The first group they authenticate to is the one they use.  Does anyone know how to configure the ASA so I can have 2 different groups for authentication?  Do I need to go to LDAP?

Harrison Midkiff

2 REPLIES
Cisco Employee

Re: SSL VPNs authentication to Microsoft IAS

You can configure 2 AAA servers, and create 2 tunnel-groups and 2 group-policy, and basically you can assign AAA server 1 on tunnel-group 1, and AAA server 2 on tunnel-group 2.

Are you going to use 2 different authentication servers for 2 different users? ie: SSL VPN uses local authentication, and IPSec VPN uses radius/IAS server for authentication? I am just trying to understand what you are trying to achieve.

New Member

Re: SSL VPNs authentication to Microsoft IAS

halijenn

Thanks for replying to my post.

Basically I want users to log into VPN and SSL VPN based on group membership in AD.   If a user is a member of a group called "VPN Users" they would have access to login via the software VPN client.  If a user is a member of a group called "SSL VPN Users" they would have access to login via SSL.  A user could be a member of one or the other or both. When you use a RADIUS server its authentication is pretty simple.  You create access policies and as long as you are a member of one of them you will get authenticated.  That is the problem.  I could do 2 different RADIUS servers but that would tend to make things a little messy and hard to manage. 

Any suggestions you have would be greately appreciated.

Harrison Midkiff

472
Views
0
Helpful
2
Replies
CreatePlease to create content