Re: Anyconnect Authentication

zekebash · ‎12-20-2021

Hello,

We are currently using a Radius server to authenticate users using Anyconnect. The Radius server is tied to MS AD\Domain Users & \Domain Computers. So, any user who has an AD account can login using their AD creds.

I have an assignment to create a new connection profile so that specific end-users can authenticate against specific AD group called "SG_NtwkSupport"

How do I go about configuring a Connection profile/Global Policy where it points/links to the Radius server where that Radius server in linked to the AD\SG_NtwkSupport group?

Thanks in advance.

~zK

Kasun Bandara · ‎12-20-2021

Hi,

below will give good guide

https://www.petenetlive.com/KB/Article/0001474

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Marvin Rhoads · ‎12-20-2021

We do this most commonly with an LDAP Attribute map.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

However it can also be done in a pure RADIUS environment. Generally speaking, the VPN headend has a default group policy that allows zero connections. Once a user authenticates (and assuming they are in the group that the RADIUS server checks for) the RADIUS server returns an Authorization result overriding the default group policy and directing the VPN headend to assign a group policy that allows connections.

Depending on what RADIUS server you are using, there may be some step by step guides you can reference. Cisco ISE and Microsoft NPS are the most common ones in this scenario.

nconroy · ‎12-22-2021

You can do this with LDAP attribute mapping on Cisco Firewalls:

But depending on what type of Radius server you are using you should be able to pass back attributes as well. Several methods to do this depending upon your topology.

Guide is here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html