https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175461#M118526 <HTML><HEAD></HEAD><BODY><P>Thanks, jkatyal...</P><P></P><P>I had disabled my defualt network acess policy for a more granular access policy. Should I create a new end station filter, create a new service selection rule, and tie it into a new Acess policy? If so what protocol do I need to enable?</P><P></P><P>MS-CHAPv2....PAP/ASCII </P><P></P><P></P><P>Thanks, </P><P>Dan</P></BODY></HTML> Mon, 25 Feb 2013 04:43:05 GMT dan hale 2013-02-25T04:43:05Z https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175459#M118524 <P>Hello All, </P><P></P><P>I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. </P><P></P><P>I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).</P><P></P><P>I also have configured ACS to use Active Directory&nbsp; and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.</P><P></P><P>Any help would be much apperciated</P><P></P><P>Thanks,</P><P>Dan</P> Mon, 11 Mar 2019 03:07:34 GMT https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175459#M118524 dan hale 2019-03-11T03:07:34Z https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175460#M118525 <HTML><HEAD></HEAD><BODY><P>Step 1 Select Users and Identity Stores &gt; External Identity Stores &gt; Active Directory, then click the Directory Groups tab.</P><P></P><P>Step 2 Click Select to see the available AD groups on the domain (and other trusted domains in the same forest). </P><P></P><P>The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest. </P><P></P><P>Step 3 Enter the AD groups ( in your case SECURITY GROUP) or select them from the list, then click OK. </P><P></P><P>Step 4 Click: Save Changes to save the configuration.</P><P></P><P>NOTE: A custom condition for group mapping from the ExternalGroup attribute; the custom condition name is AD1:ExternalGroups </P><P></P><P>Go to the Access Policies.</P><P>!</P><P>!</P><P>Edit the authorization tab &gt; edit the customise tab and move the AD1:ExternalGroups on the right side &gt; click Ok.</P><P></P><P>Create/edit the rule and select the AD group with any condition. This way only users froms security group will able to authenticate.</P><P></P><P>Regards,</P><P>Jatin Katyal <BR /> <BR /> <BR />- Do rate helpful posts -</P></BODY></HTML> Sat, 23 Feb 2013 20:07:50 GMT https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175460#M118525 Jatin Katyal 2013-02-23T20:07:50Z https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175461#M118526 <HTML><HEAD></HEAD><BODY><P>Thanks, jkatyal...</P><P></P><P>I had disabled my defualt network acess policy for a more granular access policy. Should I create a new end station filter, create a new service selection rule, and tie it into a new Acess policy? If so what protocol do I need to enable?</P><P></P><P>MS-CHAPv2....PAP/ASCII </P><P></P><P></P><P>Thanks, </P><P>Dan</P></BODY></HTML> Mon, 25 Feb 2013 04:43:05 GMT https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175461#M118526 dan hale 2013-02-25T04:43:05Z https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175462#M118527 <HTML><HEAD></HEAD><BODY><P>you can use the same "default network access rule", no need to disable it. By default, it uses PAP/ASCII. However, in case you want to push radius access-request as MS-CHAPv2 for VPN users then you have to issue the below listed command under the configured tunnel-group.</P><P></P><P>Tunnel-group <TUNNEL-GROUP-NAME> general-attributes</TUNNEL-GROUP-NAME></P><P>password-management</P><P>exit</P><P></P><P>Let me know if you have any further questions.</P><P></P><P>Regards,</P><P>Jatin Katyal <BR /> <BR /> <BR />- Do rate helpful posts -</P></BODY></HTML> Mon, 25 Feb 2013 05:52:16 GMT https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175462#M118527 Jatin Katyal 2013-02-25T05:52:16Z https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175463#M118528 <HTML><HEAD></HEAD><BODY><P>Thanks Jatin, </P><P></P><P>I created a specific acess policy for vpn users called "VPN-Users Network Access" and it works well if I set the end station filter and compound condition to "ANY"</P><P></P><P>It Seems that I should lock this down to be more secure for the "End Station Filter".....?</P><P></P><P>If so what should my filter be....the IP of the ASA or hostname?</P><P></P><P>Thanks, </P><P>Dan</P></BODY></HTML> Tue, 26 Feb 2013 04:40:52 GMT https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175463#M118528 dan hale 2013-02-26T04:40:52Z https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175464#M118529 <HTML><HEAD></HEAD><BODY><P>In that case you should you lock down the ASA with "device ip" attribute rather then using "end station filter" attribute and the define the ip address of the ASA. Here end station would be -- End stations that initiate and terminate connections like vpn client.</P><P></P><H3> Policy Conditions </H3><P> You can define simple conditions in rule tables based on attributes in: </P><P></P><P> Customizable&nbsp; conditions—You can create custom conditions based on protocol&nbsp; dictionaries and identity dictionaries that ACS knows about. You define&nbsp; custom conditions in a policy rule page; you cannot define them as&nbsp; separate condition objects. </P><P></P><P>Standard&nbsp; conditions—You can use standard conditions, which are based on&nbsp; attributes that are always available, such as device IP address,&nbsp; protocol, and username-related fields. </P><P></P><P></P><P>Regards,</P><P>Jatin Katyal <BR /> <BR /> <BR />- Do rate helpful posts -</P></BODY></HTML> Tue, 26 Feb 2013 06:50:16 GMT https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175464#M118529 Jatin Katyal 2013-02-26T06:50:16Z https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175465#M118530 <HTML><HEAD></HEAD><BODY><P>Jatin, thats what was needed....thanks for you help, </P><P></P><P>Dan</P></BODY></HTML> Wed, 27 Feb 2013 03:27:45 GMT https://community.cisco.com/t5/network-access-control/authenticate-vpn-users-via-acs-5-and-ad-via-external-identity/m-p/2175465#M118530 dan hale 2013-02-27T03:27:45Z