Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2909
Views
5
Helpful
6
Replies

Authenticate VPN users via ACS 5 and AD via External Identity Store

Go to solution
dan hale
Level 3
Level 3

‎02-23-2013 10:39 AM - edited ‎03-10-2019 08:07 PM

Hello All,

I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory.

I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).

I also have configured ACS to use Active Directory  and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.

Any help would be much apperciated

Thanks,

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to dan hale

‎02-25-2013 10:50 PM

In that case you should you lock down the ASA with "device ip" attribute rather then using "end station filter" attribute and the define the ip address of the ASA. Here end station would be -- End stations that initiate and terminate connections like vpn client.

Policy Conditions

You can define simple conditions in rule tables based on attributes in:

Customizable  conditions—You can create custom conditions based on protocol  dictionaries and identity dictionaries that ACS knows about. You define  custom conditions in a policy rule page; you cannot define them as  separate condition objects.

Standard  conditions—You can use standard conditions, which are based on  attributes that are always available, such as device IP address,  protocol, and username-related fields.

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

6 Replies 6

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-23-2013 12:07 PM

Step 1 Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.

Step 2 Click Select to see the available AD groups on the domain (and other trusted domains in the same forest).

The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest.

Step 3 Enter the AD groups ( in your case SECURITY GROUP) or select them from the list, then click OK.

Step 4 Click: Save Changes to save the configuration.

NOTE: A custom condition for group mapping from the ExternalGroup attribute; the custom condition name is AD1:ExternalGroups

Go to the Access Policies.

!

!

Edit the authorization tab > edit the customise tab and move the AD1:ExternalGroups on the right side > click Ok.

Create/edit the rule and select the AD group with any condition. This way only users froms security group will able to authenticate.

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
dan hale
Level 3
Level 3
In response to Jatin Katyal

‎02-24-2013 08:43 PM

Thanks, jkatyal...

I had disabled my defualt network acess policy for a more granular access policy. Should I create a new end station filter, create a new service selection rule, and tie it into a new Acess policy? If so what protocol do I need to enable?

MS-CHAPv2....PAP/ASCII

Thanks,

Dan

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to dan hale

‎02-24-2013 09:52 PM

you can use the same "default network access rule", no need to disable it. By default, it uses PAP/ASCII. However, in case you want to push radius access-request as MS-CHAPv2 for VPN users then you have to issue the below listed command under the configured tunnel-group.

Tunnel-group general-attributes

password-management

exit

Let me know if you have any further questions.

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
dan hale
Level 3
Level 3
In response to Jatin Katyal

‎02-25-2013 08:40 PM

Thanks Jatin,

I created a specific acess policy for vpn users called "VPN-Users Network Access" and it works well if I set the end station filter and compound condition to "ANY"

It Seems that I should lock this down to be more secure for the "End Station Filter".....?

If so what should my filter be....the IP of the ASA or hostname?

Thanks,

Dan

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to dan hale

‎02-25-2013 10:50 PM

In that case you should you lock down the ASA with "device ip" attribute rather then using "end station filter" attribute and the define the ip address of the ASA. Here end station would be -- End stations that initiate and terminate connections like vpn client.

Policy Conditions

You can define simple conditions in rule tables based on attributes in:

Customizable  conditions—You can create custom conditions based on protocol  dictionaries and identity dictionaries that ACS knows about. You define  custom conditions in a policy rule page; you cannot define them as  separate condition objects.

Standard  conditions—You can use standard conditions, which are based on  attributes that are always available, such as device IP address,  protocol, and username-related fields.

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin

Go to solution
dan hale
Level 3
Level 3
In response to Jatin Katyal

‎02-26-2013 07:27 PM

Jatin, thats what was needed....thanks for you help,

Dan

0 Helpful
Customers Also Viewed These Support Documents