If you're using the legacy IPsec VPN client, the group name in the authentication box matches the tunnel-group (also known as connection profile) on the ASA. The preshared key of that tunnel-group ties the users to that particular group. That's independent of any RSA authentication and/or RADIUS authorization.
Of course with SSL or IPSec IKEv2 VPNs (AnyConnect Secure Mobility client), you would use the group-lock feature to restrict a user or group to a given connection profile.
You could setup RADIUS for authorization as you alluded to earlier. That's in addition to the authentication you are doing via SDI to the LDAP backend. In the RADIUS setup you could assign downloadable ACLs etc. to restrict unauthorized users from using profiles inappropriately.
The better long term solution would be to just move to AnyConnect clients and use SSL VPN with the greater flexibility you have using connection profile lock and other mechanisms to restrict user access to the desired resources.
The most secure option would be to deploy individual user certificates using a PKI (and potentially SCEP) and prefill the username from the certificate. That's a non-trivial undertaking if there's no PKI currently in place but can result in a very nicely secured setup.
Ok, what will be best suited for the following scenario:
IPsec VPN clients only terminating on ASA.
The VPN clients authenticate using dual-factor against RSA for token and against AD for user/pass.
The authentication should be done via the ACS.
Given the above scenario, how do I configure the devices to lock down the VPN clients to specific tunnel-groups in the ASA?
For example: The ASA will only have as AAA server the ACS, and the ACS will both handle the RSA and AD authentication besides the attribute to lock down the users to specific groups? And if so, the ACS will send this info. to the ASA?
Or, do I configure DAP policies to accomplish this?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...