Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group.

Hello.

Have some issues, with ssl vpn on ASA 5515-X.

I have ASA (9.1) connected to the  ACS (5.4) and configured anyconnect mobile client and clientless ssl web portal. ACS also have connection to Active Directory.

So it's configured that AD users from group, for example, VPN_clients could connect via anyconnect client or without client via SSL web page. And it's working fine.

My goal is that to make different SSL portal bookmarks (in terms of ASA different Group Polices) according to AD user group.

For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that users from these group after authentication at SSL web portal would see only their own bookmarks available only for their group.

As i inderstand after authentication process ACS must answer to ASA which AD groups the user consist of and ASA must choose the right group policy for the user, but i have no experience how to make this?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group

Hello Ivan,

You are right, ACS can let the ASA know which group-policy should assign based on the RADIUS attribute 25.

Steps on ACS:

1- Defined AD groups:

AD-group-1.png

2- Define the authorization profile under the Policy Elements tab:

policy-element-1.png

3- Create the Authorization policy and access criteria:

access-policy.png

Then, on the ASA:

1- Create a group-policy and name it it.

2- Through the ASDM, create and assign the bookmarks to this group-policy.

3- Once a user authenticates, the ACS sends the attribute 25, which contains the string "ou=it".

4- The ASA looks for the group-policy it and assigns it to the user's session.

Let me know if you have any questions.

HTH.

Please rate any helpful posts.

3 REPLIES

ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group

Hello Ivan,

You are right, ACS can let the ASA know which group-policy should assign based on the RADIUS attribute 25.

Steps on ACS:

1- Defined AD groups:

AD-group-1.png

2- Define the authorization profile under the Policy Elements tab:

policy-element-1.png

3- Create the Authorization policy and access criteria:

access-policy.png

Then, on the ASA:

1- Create a group-policy and name it it.

2- Through the ASDM, create and assign the bookmarks to this group-policy.

3- Once a user authenticates, the ACS sends the attribute 25, which contains the string "ou=it".

4- The ASA looks for the group-policy it and assigns it to the user's session.

Let me know if you have any questions.

HTH.

Please rate any helpful posts.

Community Member

ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group

thank you very much, it's working as expected!

ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group

Perfect!! You are welcome

379
Views
0
Helpful
3
Replies
CreatePlease to create content