Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
2
Replies

ASA/AnyConnect with 2 LDAP Attributes

Jeff Van Houten
Level 5
Level 5

‎09-07-2013 03:47 PM - edited ‎02-21-2020 07:08 PM

We currently are using LDAP to authenticate users accessing an ASA.  We enforce usage of the AnyConnect client by mapping the msNPAllowDialIn LDAP attribute to the Cisco Tunneling-Protocols attribute.  "Deny Access" in the A/D Dial-In tab of the user equates to a value of 0 sent to Tunneling-Protocols, which keeps non-authorized users from accessing.  "Allow Access" is mapped to a "32" which enforces the use of the AnyConnect client.  All is well and this works perfectly.

Now we want to create a second category of users.  These users will be allowed access, but we want to use Clientless VPN, and we want to only allow TCP port forwarding to 3389 (you can see where this is going).  I understand that I can map an LDAP attribute "memberOf" with a value of "VPN-RDPOnly" to the IETF-Radius-Class ASA attribute and apply a group policy of that same name which would do the trick.  My question is, can I have both?  I'd like to keep the "Tunneling-Protocols" attribute (which I know would have to change to 48) so that I can quickly turn off anyone I want to by allowing and disallowing through the group policy dial-in tab.  But, I'd also like to have another attribute that determines which group policy is applied.  So, for a given user, can the ASA evaluate both attributes (tunneling-protocols for access authorization and IETF-radius-class for policy assignment)?

Labels:
0 Helpful
2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

‎09-08-2013 02:33 PM

Wrong forum, post in "Security - VPN". You can move your posting using the Actions panel on the right.

0 Helpful

Jeff Van Houten
Level 5
Level 5
In response to paolo bevilacqua

‎09-09-2013 07:32 PM

All right. Now that the question is in the correct forum according to Paolo, does anyone have an idea?

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents