https://community.cisco.com/t5/network-security/webvpn-and-ad-group-membership/m-p/1192254#M956695 <HTML><HEAD></HEAD><BODY><P>Thanks for the suggestions. I went with an LDAP solution, but ditched the member of requirment. I just set up different aaa server-groups with different base DNs, since the accounts will be seperated by OUs anyhow. </P><P></P><P>However, I don't think I can use auto-signon with LDAP, correct? Would I need to configure an SSO server if I wanted to have a signle sign-on solution for cifs shares? </P><P></P><P>Thanks again for pointing me in the right direction. </P></BODY></HTML> Wed, 11 Mar 2009 21:11:03 GMT ryan.bachman 2009-03-11T21:11:03Z https://community.cisco.com/t5/network-security/webvpn-and-ad-group-membership/m-p/1192252#M956693 <P>I desperately need some advice with my WEBVPN authentication design. </P><P></P><P>How would I restrict specific users to only connect to certain connection profile Aliases?</P><P></P><P>For instance. lets say I have GROUP A, GROUP B, and GROUP C as aliases, available on the drop-down menu of the SSL login screen. In AD, I have 3 Security groups named the same. How do I ensure that only members of the group A security group can authenticate to the GROUP A connection profile, and not the others. Ideally, I would like to accomplish this with Radius authentication, but I couldn't find an attribute that was passed along that I can prequalify against. Any and all suggestions are appreciated. Thanks. </P> Fri, 21 Feb 2020 11:20:41 GMT https://community.cisco.com/t5/network-security/webvpn-and-ad-group-membership/m-p/1192252#M956693 ryan.bachman 2020-02-21T11:20:41Z https://community.cisco.com/t5/network-security/webvpn-and-ad-group-membership/m-p/1192253#M956694 <HTML><HEAD></HEAD><BODY><P>You can use ldap mapping to authenticate your users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value that the ASA understands, this to enable group lock, which will only allow users belonging to a specific tunnel group/group policy to connect to that tunnel group/group policy.</P></BODY></HTML> Wed, 11 Mar 2009 16:32:17 GMT https://community.cisco.com/t5/network-security/webvpn-and-ad-group-membership/m-p/1192253#M956694 Ivan Martinon 2009-03-11T16:32:17Z https://community.cisco.com/t5/network-security/webvpn-and-ad-group-membership/m-p/1192254#M956695 <HTML><HEAD></HEAD><BODY><P>Thanks for the suggestions. I went with an LDAP solution, but ditched the member of requirment. I just set up different aaa server-groups with different base DNs, since the accounts will be seperated by OUs anyhow. </P><P></P><P>However, I don't think I can use auto-signon with LDAP, correct? Would I need to configure an SSO server if I wanted to have a signle sign-on solution for cifs shares? </P><P></P><P>Thanks again for pointing me in the right direction. </P></BODY></HTML> Wed, 11 Mar 2009 21:11:03 GMT https://community.cisco.com/t5/network-security/webvpn-and-ad-group-membership/m-p/1192254#M956695 ryan.bachman 2009-03-11T21:11:03Z https://community.cisco.com/t5/network-security/webvpn-and-ad-group-membership/m-p/1192255#M956696 <HTML><HEAD></HEAD><BODY><P>Mhhh I am not a Windows guy, but one of the requirements is for your system to support NTLM v1</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9ff.shtml#req" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9ff.shtml#req</A></P></BODY></HTML> Wed, 11 Mar 2009 23:06:01 GMT https://community.cisco.com/t5/network-security/webvpn-and-ad-group-membership/m-p/1192255#M956696 Ivan Martinon 2009-03-11T23:06:01Z