03-18-2008 01:08 AM - edited 03-10-2019 03:43 PM
Hi All,
I've configured SSLVPN on Cisco ASA 5540 to authenticate using Windows AD by providing DomainController information. Though the authentication is working, I'm bit concerned about the security as this method of authentication mechanism would expose remote access to every other account on Windows AD (including service accounts).
Is there a mecahnism / way to restrict the authenticate to specific group of users while using Windows AD for authentication on Cisco ASA for SSLVpn?
Please note: There is no ACS server available on the network.
Appreciate quick help on this,
03-18-2008 08:30 AM
You can setup Dynamic Access Policies and configure it for a particular AD Security Group. You would need to map the LDAP memberOf field to the AD Security Group name.
Josh
03-21-2008 02:14 AM
Hi Josh,
Thanks for this excellent suggestion. Though would like to know if I need to enable LDAP authentication for WebUsers OR still live with Windows Auth using the following commands..
aaa-server ADdomain protocol nt
aaa-server ADdomain host 1.1.1.1
nt-auth-domain.controller dc1
Thanks
03-21-2008 12:45 PM
Hi,
another way might be to configure a MS IAS server on one of your Windows Servers.
Creating Remote Access policys and using the IAS as a Radius server might have a advantage that You can use it for more then just Web VPN, like perhaps 802.1x on WLANs etc.
Another would be that it might be easier to create multiple and different access policys for different AD-security groups.
Hope this helps in some way
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide