Assign Group Membership attribute to DAP for Radius logins via SSL VPN
Basically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. Any help or suggestions? I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax? I am stuck and need help.
In the example in that document, the syntax used is OU=Grouppolicyname, but the "OU=" is optional, you can just as well enter the name by itself.
If you need help mapping the AD group(s) to the radius Class attribute in ACS, I'm afraid I can't help you with that but you can ask in the forum.
Alternatively, you could have all users share the same group-policy, but have ACS push the name of the bookmark list to use, I don't know the attribute name by heart but if you scroll through the list of ASA attributes on ACS it should be fairly obvious (let me know if not )
BTW - there is an alternative to using a Radius "proxy" to solve the multi-domain issue. If you configure a GCS (Global Catalog Server) in your AD forest, the ASA can authenticate users in all the domains the GCS knows about. Downside to this is that the GCS does not support password change.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :