Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 access resources by NT Domain grouping

I'm configing the ASA5510 to authenticate users by using AAA servers NT Domain type, it works to authenticate the AD users to get in.

My next step is i want to authenticate users to access webvpn with different group policy defined in ASDM by windowns AD grouping.

That is to say, i want the Group A, Group B, Group C users in windows AD to access to group-policy A, group-policy B, group-policy C respectively to control their application.

How can i do that?

Many thank in advance!!

5 REPLIES

Re: ASA 5510 access resources by NT Domain grouping

Your requirements seems as though it could be accomplish using DAP(Dynamic access

policies), I have not played yet with this feature so it is an educated guess.

Have a look here.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Rgds

Jorge

New Member

Re: ASA 5510 access resources by NT Domain grouping

Thanks for your help.

I'm tring to config DAP(Dynamic access

policies), but it still didn't work. do u know is DAP working with LDAP or NT Domain authentication in AAA configuration? I've try to work with both LDAP and NT Domain, also not work.

Thank you!

Re: ASA 5510 access resources by NT Domain grouping

It should, if you look at the same link I provided it should work with LDAP/AD environment.

This one is trikie to lab out or would take some time, but you could perhaps open a TAC case to get faster expert assistance on this feature and your requirements.

This is another DAP link with a little more detail.

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html

New Member

Re: ASA 5510 access resources by NT Domain grouping

thanks! DAP have to consider later

Now i have problem on making the connection to other VPN peer site on webvpn.

when our client connect to the webvpn, i've set to assign a pool of ip address, but when i check the ipconfig from client notebook, i found that the ip address is from IPS, not the address from my pool, how can i check the webvpn session and is it using the address assigned by ASA?

i have the following commands:

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool bigpool

authentication-server-group SG1

authentication-server-group (inside) SG1

default-group-policy SSL_IT

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias Default disable

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 3600 retry 2

ip local pool bigpool 192.168.100.101-192.168.100.120 mask 255.255.255.0

New Member

Re: ASA 5510 access resources by NT Domain grouping

You can accomplish this if you utilize Microsoft IAS or NPS for authentication to Active Directory. You can create the policies and dynamically set the VPN group & group-policy based on Active Directory security group membership. Each VPN group will utilize a group-policy with the appropriate VPN filter ACL applied.

I am mentioning Microsoft IAS or NPS since you didn't mention you have Cisco ACS (costs extra).

646
Views
0
Helpful
5
Replies
CreatePlease login to create content