Re: ASA WebVPN - restrict access to users in an AD group via ACS

clausonna · ‎04-17-2007

Hi folks.

I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")

Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.

Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.

I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

ivillegas · ‎04-23-2007

The following document link will give deatils on your requirement.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

h.parsons · ‎04-24-2007

Try using the following to tie users to certain group policies:

Using a RADIUS Server

Using a RADIUS server to authenticate users, assign users to group policies by following these steps:

Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group

policy.

Step 2 Set the class attribute to the group policy name in the format OU=group_name

For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value

of OU=SSL_VPN; (Do not omit the semicolon.)