Authentication based on AD group for each VPN group

guibarati · ‎10-18-2006

How can I configure my ASA 5520 to authenticate each VPN group if the user are in an specific AD group.

For exemple I have 2 VPN groups:

Accounting

sales

And I want each user to authenticate only if he is within his/her specified AD group. And I'm using windows IAS for radius authentication.

Roble Mumin · ‎01-10-2007

This is actually very interesting. Did you find a method to get this working?

5220 · ‎01-10-2007

Hi,

Keep radius between IAS and ASA.

Then configure IAS to get the radius users from AD (through LDAP i think).

Please rate if this helped.

Regards,

Daniel

dogany · ‎01-11-2007

You can use the group lock feature at

Group Policy

First you should use different Group Policy for each of the Tunnel Group. And then edit Group Policy to support Group Lock.

Group Lock is at IPSec parameters Tab of Group Policy

And you should use group name as OU parameter at user profile at AAA server

Here is sample user profile ehich is configured to use test.vpn as group name.

for Cisco Secure Unix

user = testuser@ssl.vpn{

profile_id = 128911

set server current-failed-logins = 1

profile_cycle = 6

member = test.vpn

password = chap "********"

password = pap "********"

radius=Cisco {

reply_attributes= {

25="OU=test.vpn"

Roble Mumin · ‎01-11-2007

I will give that a try thanks for the input. You think i can use the same mechanic to authenticate users for AD and shell access based on group membership.

I use IAS and RADIUS for vpn auth and shell access auth but haven't been able to make sure that vpn authed users have no access to the ASA shell.

eg. group membership or OU -> NetAdmins = Shell

or group membership or OU -> VPNUsers = VPN Auth.

Roble