Re: active directory vpn-group and not all user

venerayan · ‎05-15-2013

hi all,

how do i use a particular group (or vpn-group) in my active directory object and not all users have the ability to use my anyconnect vpn?

thanks!

minkumar · ‎05-16-2013

Hi Ricarte,

We can do that certainly, we can restrict the access of the users to a particular group. Do you have ACS or Microsoft IAS server?

Regards

Minakshi (Do rate helpful posts )

Jatin Katyal · ‎05-16-2013

I guess you're using LDAP as a protocol and you would like to allow only one group and deny rest of the groups, If that's correct here is a config that you should have on ASA. If you have radius server than we can go with group-lock feature.

Configuration for restricting access to a particular windows group on AD

group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 0

address-pools none

ldap attribute-map LDAP-MAP

map-name memberOf IETF-Radius-Class

map-value memberOf

aaa-server LDAP-AD protocol ldap

aaa-server LDAP-AD host

server-port 389

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-dn

ldap-login-password

server-type microsoft

ldap-attribute-map LDAP-MAP

group-policy internal

group-policy attributes

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec ...

address-pools value

.....

tunnel-group type remote-access

tunnel-group general-attributes

authentication-server-group LDAP-AD

default-group-policy noaccess

Jatin Katyal

- Do rate helpful posts -

~Jatin