Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
0
Helpful
2
Replies

ACS5.1 and ASA8.2: mapping AD group to policy

t.erdin
Level 1
Level 1

‎08-10-2010 04:49 AM - edited ‎03-10-2019 05:19 PM

I'm trying to map vpn users to different group policies upon the group set in Active Directory (MemberOf).

Can anyone tell me how to do this? I've found some documents on the ACS4.x, but nothing on ACS5.1.

Thanks

Thomas

Labels:
0 Helpful
2 Replies 2

Przemyslaw Konitz
Level 1
Level 1

‎08-11-2010 06:09 AM

its quite easy

first few steps are obvious but to have complete view:

1) ASA must have AAA server defined as RADIUS (which will be our ACS 5.1 server)

2) ACS must have  ASA device added in network device list

3) you must add external AD identity store and directory groups (retrived from AD)

for example

4) in "Policy Elements -> Network Access -> Authorization Profiles" add new profile (i.e. "vpn1-grupa") with RADIUS Attributes

GRUPA2 is the name of the group which will be assigned to the user on ASA (where banner and other attributes are assigned to tunnel-group)

note: I tried to use attribute dedicated for that purpose (RADIUS-CISCO VPN 3000/ASA/PIX 7.x-IPSec-Group-Name) but ASA didn't see it (actually dont now why )

5) create "access-service" type network access (i.e. "VPN-access")

6) add new "Service Selection Policy" rule with some condition and result of "VPN-access" service

7) in "VPN-access -> Identity" change identity source to AD1

8) in "VPN-access -> Authorization" tab create new rule with condition of "group name" (i.e. sevenet.lab/Users/OperatorFirmy1)

thats all

hope it helps - I tested it and works fine

regards

0 Helpful

biotron
Level 1
Level 1
In response to Przemyslaw Konitz

‎09-22-2010 06:28 AM

Hello,

I tried that too with 8.3(1), vpn client5.0.07.0290  and certificate authentication  in conjuction with Tacacs authentication and Radius authorization (Tacacs ins't available yet).

cert : ok.

Tacacs authentication against AD1: o.k.

Radius authorization stops after selecting the right ID AD! store with:

    error 24408 User authentication against Active Directory failed since user has entered the wrong password.

Because every other profile (WLAN/dot1x) is working with the same user/password - even tacacs a second before - I have no idea how to solve that.

Greetings

Olaf.

0 Helpful
Customers Also Viewed These Support Documents