05-15-2013 09:27 PM - edited 03-10-2019 08:26 PM
hi all,
how do i use a particular group (or vpn-group) in my active directory object and not all users have the ability to use my anyconnect vpn?
thanks!
05-16-2013 09:38 AM
Hi Ricarte,
We can do that certainly, we can restrict the access of the users to a particular group. Do you have ACS or Microsoft IAS server?
Regards
Minakshi (Do rate helpful posts )
05-16-2013 10:03 AM
I guess you're using LDAP as a protocol and you would like to allow only one group and deny rest of the groups, If that's correct here is a config that you should have on ASA. If you have radius server than we can go with group-lock feature.
Configuration for restricting access to a particular windows group on AD
group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 0
address-pools none
ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host
server-port 389
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map LDAP-MAP
group-policy
group-policy
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec ...
address-pools value
.....
.....
tunnel-group
tunnel-group
authentication-server-group LDAP-AD
default-group-policy noaccess
Jatin Katyal
- Do rate helpful posts -
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: