Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WEBVPN and AD group membership

I desperately need some advice with my WEBVPN authentication design.

How would I restrict specific users to only connect to certain connection profile Aliases?

For instance. lets say I have GROUP A, GROUP B, and GROUP C as aliases, available on the drop-down menu of the SSL login screen. In AD, I have 3 Security groups named the same. How do I ensure that only members of the group A security group can authenticate to the GROUP A connection profile, and not the others. Ideally, I would like to accomplish this with Radius authentication, but I couldn't find an attribute that was passed along that I can prequalify against. Any and all suggestions are appreciated. Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: WEBVPN and AD group membership

You can use ldap mapping to authenticate your users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value that the ASA understands, this to enable group lock, which will only allow users belonging to a specific tunnel group/group policy to connect to that tunnel group/group policy.

3 REPLIES

Re: WEBVPN and AD group membership

You can use ldap mapping to authenticate your users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value that the ASA understands, this to enable group lock, which will only allow users belonging to a specific tunnel group/group policy to connect to that tunnel group/group policy.

New Member

Re: WEBVPN and AD group membership

Thanks for the suggestions. I went with an LDAP solution, but ditched the member of requirment. I just set up different aaa server-groups with different base DNs, since the accounts will be seperated by OUs anyhow.

However, I don't think I can use auto-signon with LDAP, correct? Would I need to configure an SSO server if I wanted to have a signle sign-on solution for cifs shares?

Thanks again for pointing me in the right direction.

Re: WEBVPN and AD group membership

Mhhh I am not a Windows guy, but one of the requirements is for your system to support NTLM v1

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9ff.shtml#req

199
Views
0
Helpful
3
Replies