Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco ASA AnyConnect group policy assigned by Windows IAS/AD

I'm looking to centralize all of the VPN account (AnyConnect / SSLVPN) via our Active Directory.  I would like to set up AD via IAS groups, based on security levels, and map those to the Cisco ASA group policy.  Furthermore, I would like to assign an IP Address Pool based on the group.

For example:

Active Directory (Group)      Cisco ASA VPN Group Policy       IP Address Pool
Security Level 1                     Security_Level_1               -

Security Level 2                     Security_Level_2               -

Security Level 3                     Security_Level_3               -

Security Level 4                     Security_Level_4               -

Community Member

Re: Cisco ASA AnyConnect group policy assigned by Windows IAS/AD

I've used IAS for remote access AAA, and it does work well.  For your requirements, I might suggest plugging into AD directly using LDAPS.  If you know your AD schema, it's not too difficult to get LDAP working.  With LDAP, you can use an LDAP map to map AD groups to ASA Group Policies.  You will also be able to prompt users to change their AD passwords when it nears expiration, which I'm not sure you can do via IAS/RADIUS.

The only thing you lose with LDAPS is Accounting.  If you need it, you can still run that back to IAS or ACS/TACACS+.

Hope this helps,


CreatePlease to create content