03-03-2008 08:20 AM - edited 03-10-2019 03:41 PM
I have an ASA, an ACS appliance, Active Directory, and RSA securID. SSL users should only authenticate with AD, while IPSec users should only authenticate with RSA. Not yet using anyconnect.
here is my scenario:
ACS -- AD - Dynamic users are created in ACS when authenticated with their AD domain login/password
ACS -- AD - AD Group mapping to put user in the correct ACS group
ASA SSL - matches username in ACS group to display customized SSL bookmarks
all looks good
ACS -- RSA - static users in ACS assigned to RSA group in ACS configured for authentication with external RSA DB
ASA IPSec - Authenticates with ACS
Question: How does the ASA or ACS know to authenticate IPSec users ONLY via RSA and SSL users only via AD?
What do I have to do to not allow a windows user to simply enter their AD login/password into thei IPSec client and login. I could see this become common with users who dont have their keyfob handy or forget to use it.
Thanks!
03-04-2008 05:35 AM
You need to look at NAP feature in acs,
A NAP, also known as a profile, is essentially a classification of network-access requests for applying a common policy. You can use NAPs to aggregate all policies that should be activated for a certain location in the network. Alternatively, you can aggregate all policies that handle the same device type, for example, VPNs or Access Points (APs).
Regards,
~JG
Do rate helpful posts
03-05-2008 07:53 PM
Thanks, I will review the link and other NAP info. I also heard about using the IETF RADIUS Attributes # 25 class to set this to match the profile name in the ASA. Will this do the trick and only allow users in the correct groups to authenticate and/or be allowed or denied by group membership?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide