Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3286
Views
0
Helpful
1
Replies

Cisco ASA AnyConnect group policy assigned by Windows IAS/AD

jdczerwinski
Level 1
Level 1

‎02-04-2010 05:25 PM

I'm looking to centralize all of the VPN account (AnyConnect / SSLVPN) via our Active Directory.  I would like to set up AD via IAS groups, based on security levels, and map those to the Cisco ASA group policy.  Furthermore, I would like to assign an IP Address Pool based on the group.

For example:

Active Directory (Group)      Cisco ASA VPN Group Policy       IP Address Pool
Security Level 1                     Security_Level_1                        192.168.1.1 - 192.168.1.10

Security Level 2                     Security_Level_2                        192.168.2.1 - 192.168.2.10

Security Level 3                     Security_Level_3                        192.168.3.1 - 192.168.3.10

Security Level 4                     Security_Level_4                        192.168.4.1 - 192.168.4.10

Labels:
0 Helpful
1 Reply 1

jimsiff
Level 1
Level 1

‎02-21-2010 01:49 AM

I've used IAS for remote access AAA, and it does work well.  For your requirements, I might suggest plugging into AD directly using LDAPS.  If you know your AD schema, it's not too difficult to get LDAP working.  With LDAP, you can use an LDAP map to map AD groups to ASA Group Policies.  You will also be able to prompt users to change their AD passwords when it nears expiration, which I'm not sure you can do via IAS/RADIUS.

The only thing you lose with LDAPS is Accounting.  If you need it, you can still run that back to IAS or ACS/TACACS+.

Hope this helps,

Jim

0 Helpful
Customers Also Viewed These Support Documents