04-17-2007 07:12 AM - edited 02-21-2020 01:29 AM
Hi folks.
I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?
04-23-2007 06:21 AM
The following document link will give deatils on your requirement.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
04-24-2007 09:32 AM
Try using the following to tie users to certain group policies:
Using a RADIUS Server
Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
policy.
Step 2 Set the class attribute to the group policy name in the format OU=group_name
For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
of OU=SSL_VPN; (Do not omit the semicolon.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide