cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

886
Views
0
Helpful
2
Replies
Highlighted
Beginner

ACS5.1 and ASA8.2: mapping AD group to policy

I'm trying to map vpn users to different group policies upon the group set in Active Directory (MemberOf).

Can anyone tell me how to do this? I've found some documents on the ACS4.x, but nothing on ACS5.1.

Thanks

Thomas

2 REPLIES 2
Highlighted

Re: ACS5.1 and ASA8.2: mapping AD group to policy

its quite easy

first few steps are obvious but to have complete view:

1) ASA must have AAA server defined as RADIUS (which will be our ACS 5.1 server)

2) ACS must have  ASA device added in network device list

3) you must add external AD identity store and directory groups (retrived from AD)

for example

4) in "Policy Elements -> Network Access -> Authorization Profiles" add new profile (i.e. "vpn1-grupa") with RADIUS Attributes

GRUPA2 is the name of the group which will be assigned to the user on ASA (where banner and other attributes are assigned to tunnel-group)

note: I tried to use attribute dedicated for that purpose (RADIUS-CISCO VPN 3000/ASA/PIX 7.x-IPSec-Group-Name) but ASA didn't see it (actually dont now why )

5) create "access-service" type network access (i.e. "VPN-access")

6) add new "Service Selection Policy" rule with some condition and result of "VPN-access" service

7) in "VPN-access -> Identity" change identity source to AD1

8) in "VPN-access -> Authorization" tab create new rule with condition of "group name" (i.e. sevenet.lab/Users/OperatorFirmy1)

thats all

hope it helps - I tested it and works fine

regards

Beginner

Re: ACS5.1 and ASA8.2: mapping AD group to policy

Hello,

I tried that too with 8.3(1), vpn client5.0.07.0290  and certificate authentication  in conjuction with Tacacs authentication and Radius authorization (Tacacs ins't available yet).

cert : ok.

Tacacs authentication against AD1: o.k.

Radius authorization stops after selecting the right ID AD! store with:

    error 24408 User authentication against Active Directory failed since user has entered the wrong password.

Because every other profile (WLAN/dot1x) is working with the same user/password - even tacacs a second before - I have no idea how to solve that.

Greetings

Olaf.