Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
4
Replies

Restricting access to AnyConnect by userid

Go to solution
mflanigan
Level 1
Level 1

‎10-18-2010 08:42 PM - edited ‎02-21-2020 04:54 PM

My customer has ASA 8.2, and is setting up a webvpn portal.  He would like to allow some users to use AnyConnect, but others would onky e allowed clientless access.  He is using NT authentication.  I have set up two different group policies, which doi what he wants, and matching tunnel groups, but I don't see an obvious way to force one set of users onto one tunnel, and another set onto the other.  Using group-url as security-through-obscurity was the onky thing I could come up with.  Is there a way to do what he wants?  Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to mflanigan

‎10-18-2010 10:05 PM

The group membership from AD would be the "memberOf" attribute, and if you run "debug ldap 255" on the ASA firewall whilst trying to authenticate, it will provide you with all the LDAP attributes, and look for the full path of group membership via the "memberOf" attribute.

Here is another sample configuration that might help further (check out the output of "debug ldap 255" at the bottom, and the highlighted "memberOf" attribute):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

(From the above example, you would need to map the following memberOf attribute: "CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com")

You could obtain your organization full LDAP path memberOf attribute via the "debug ldap 255" output on ASA.

Hope that helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-18-2010 08:54 PM

Sure, you can use LDAP attribute mapping to assign user to specific group-policy.

Here is a sample configuration on LDAP attribute mapping for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

Hope that helps.

0 Helpful

Go to solution
mflanigan
Level 1
Level 1
In response to Jennifer Halim

‎10-18-2010 09:50 PM

Jennifer,

Thanks, this helps, but I think the user would want to set up group memberships in AD, and use that membership to control group-policy.  Is there doc on the MS AD schema that would define the group-membership structure, and how to pull specific groups out of that via the attribute maps?  We could use the example as given for an either-or group membership to meet the immediate requirement, but I'm sure they'll want to expand on that later.

Thanks again.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to mflanigan

‎10-18-2010 10:05 PM

The group membership from AD would be the "memberOf" attribute, and if you run "debug ldap 255" on the ASA firewall whilst trying to authenticate, it will provide you with all the LDAP attributes, and look for the full path of group membership via the "memberOf" attribute.

Here is another sample configuration that might help further (check out the output of "debug ldap 255" at the bottom, and the highlighted "memberOf" attribute):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

(From the above example, you would need to map the following memberOf attribute: "CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com")

You could obtain your organization full LDAP path memberOf attribute via the "debug ldap 255" output on ASA.

Hope that helps.

0 Helpful

Go to solution
mflanigan
Level 1
Level 1
In response to Jennifer Halim

‎10-19-2010 09:13 PM

Jennifer,

Thanks, that's exactly what I needed.

Regards,

Mike Flanigan

0 Helpful
Customers Also Viewed These Support Documents