Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA: group lock with NT-Domain authentication.

Hi!

We have one ASA5510. I set two group for remote vpns, and both uses NT-domain authentication. How can I set tunnel-group lock for the users in both group.

How can I lock the user to the group. Is there any configuration in Active Directory to set group for users.

I don't know what is the solution, I have found nothing.

Please help, thank you!

Gabor

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA: group lock with NT-Domain authentication.

The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.

5 REPLIES

Re: ASA: group lock with NT-Domain authentication.

There are a few ways that this can be accomplished. You can statically configure a connection profile lock on the respective group policy that the users are being assigned to. You could also use an LDAP attribute map to match a particular field in AD. For example, you configure your ASA connection profiles to match internal departments. Users in AD who are part of the Engineering department should get locked to the Engineering connection profile. You can achieve this type of configuration using the following:

ldap attribute-map Tunnel-Lock

map-name department Tunnel-Group-Lock

New Member

Re: ASA: group lock with NT-Domain authentication.

Hi, Todd!

Thank you! this is what i want.

(please post a message to close this topic - I failed the rating)

thanks Gabor

New Member

Re: ASA: group lock with NT-Domain authentication.

Hi,

Something is not clear.

In the example what is the "department" on the AD? What means particular field? do I have to enlarge the AD schema?

or what?

Re: ASA: group lock with NT-Domain authentication.

The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.

New Member

Re: ASA: group lock with NT-Domain authentication.

Ok! thank you, I found this field in AD.

There is a good guide here:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html

bye, Gabor

661
Views
4
Helpful
5
Replies