Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
3
Replies

WEBVPN and AD group membership

Go to solution
ryan.bachman
Level 1
Level 1

‎03-11-2009 08:28 AM - edited ‎02-21-2020 03:20 AM

I desperately need some advice with my WEBVPN authentication design.

How would I restrict specific users to only connect to certain connection profile Aliases?

For instance. lets say I have GROUP A, GROUP B, and GROUP C as aliases, available on the drop-down menu of the SSL login screen. In AD, I have 3 Security groups named the same. How do I ensure that only members of the group A security group can authenticate to the GROUP A connection profile, and not the others. Ideally, I would like to accomplish this with Radius authentication, but I couldn't find an attribute that was passed along that I can prequalify against. Any and all suggestions are appreciated. Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7

‎03-11-2009 09:32 AM

You can use ldap mapping to authenticate your users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value that the ASA understands, this to enable group lock, which will only allow users belonging to a specific tunnel group/group policy to connect to that tunnel group/group policy.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Ivan Martinon
Level 7
Level 7

‎03-11-2009 09:32 AM

You can use ldap mapping to authenticate your users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value that the ASA understands, this to enable group lock, which will only allow users belonging to a specific tunnel group/group policy to connect to that tunnel group/group policy.

0 Helpful

Go to solution
ryan.bachman
Level 1
Level 1
In response to Ivan Martinon

‎03-11-2009 02:11 PM

Thanks for the suggestions. I went with an LDAP solution, but ditched the member of requirment. I just set up different aaa server-groups with different base DNs, since the accounts will be seperated by OUs anyhow.

However, I don't think I can use auto-signon with LDAP, correct? Would I need to configure an SSO server if I wanted to have a signle sign-on solution for cifs shares?

Thanks again for pointing me in the right direction.

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to ryan.bachman

‎03-11-2009 04:06 PM

Mhhh I am not a Windows guy, but one of the requirements is for your system to support NTLM v1

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9ff.shtml#req

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card