02-23-2013 10:39 AM - edited 03-10-2019 08:07 PM
Hello All,
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory.
I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
Any help would be much apperciated
Thanks,
Dan
Solved! Go to Solution.
02-25-2013 10:50 PM
In that case you should you lock down the ASA with "device ip" attribute rather then using "end station filter" attribute and the define the ip address of the ASA. Here end station would be -- End stations that initiate and terminate connections like vpn client.
You can define simple conditions in rule tables based on attributes in:
Customizable conditions—You can create custom conditions based on protocol dictionaries and identity dictionaries that ACS knows about. You define custom conditions in a policy rule page; you cannot define them as separate condition objects.
Standard conditions—You can use standard conditions, which are based on attributes that are always available, such as device IP address, protocol, and username-related fields.
Regards,
Jatin Katyal
- Do rate helpful posts -
02-23-2013 12:07 PM
Step 1 Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.
Step 2 Click Select to see the available AD groups on the domain (and other trusted domains in the same forest).
The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest.
Step 3 Enter the AD groups ( in your case SECURITY GROUP) or select them from the list, then click OK.
Step 4 Click: Save Changes to save the configuration.
NOTE: A custom condition for group mapping from the ExternalGroup attribute; the custom condition name is AD1:ExternalGroups
Go to the Access Policies.
!
!
Edit the authorization tab > edit the customise tab and move the AD1:ExternalGroups on the right side > click Ok.
Create/edit the rule and select the AD group with any condition. This way only users froms security group will able to authenticate.
Regards,
Jatin Katyal
- Do rate helpful posts -
02-24-2013 08:43 PM
Thanks, jkatyal...
I had disabled my defualt network acess policy for a more granular access policy. Should I create a new end station filter, create a new service selection rule, and tie it into a new Acess policy? If so what protocol do I need to enable?
MS-CHAPv2....PAP/ASCII
Thanks,
Dan
02-24-2013 09:52 PM
you can use the same "default network access rule", no need to disable it. By default, it uses PAP/ASCII. However, in case you want to push radius access-request as MS-CHAPv2 for VPN users then you have to issue the below listed command under the configured tunnel-group.
Tunnel-group
password-management
exit
Let me know if you have any further questions.
Regards,
Jatin Katyal
- Do rate helpful posts -
02-25-2013 08:40 PM
Thanks Jatin,
I created a specific acess policy for vpn users called "VPN-Users Network Access" and it works well if I set the end station filter and compound condition to "ANY"
It Seems that I should lock this down to be more secure for the "End Station Filter".....?
If so what should my filter be....the IP of the ASA or hostname?
Thanks,
Dan
02-25-2013 10:50 PM
In that case you should you lock down the ASA with "device ip" attribute rather then using "end station filter" attribute and the define the ip address of the ASA. Here end station would be -- End stations that initiate and terminate connections like vpn client.
You can define simple conditions in rule tables based on attributes in:
Customizable conditions—You can create custom conditions based on protocol dictionaries and identity dictionaries that ACS knows about. You define custom conditions in a policy rule page; you cannot define them as separate condition objects.
Standard conditions—You can use standard conditions, which are based on attributes that are always available, such as device IP address, protocol, and username-related fields.
Regards,
Jatin Katyal
- Do rate helpful posts -
02-26-2013 07:27 PM
Jatin, thats what was needed....thanks for you help,
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide