12-20-2021 04:21 PM
Hello,
We are currently using a Radius server to authenticate users using Anyconnect. The Radius server is tied to MS AD\Domain Users & \Domain Computers. So, any user who has an AD account can login using their AD creds.
I have an assignment to create a new connection profile so that specific end-users can authenticate against specific AD group called "SG_NtwkSupport"
How do I go about configuring a Connection profile/Global Policy where it points/links to the Radius server where that Radius server in linked to the AD\SG_NtwkSupport group?
Thanks in advance.
~zK
12-20-2021 07:33 PM
Hi,
below will give good guide
https://www.petenetlive.com/KB/Article/0001474
12-20-2021 07:35 PM - edited 12-20-2021 07:36 PM
We do this most commonly with an LDAP Attribute map.
However it can also be done in a pure RADIUS environment. Generally speaking, the VPN headend has a default group policy that allows zero connections. Once a user authenticates (and assuming they are in the group that the RADIUS server checks for) the RADIUS server returns an Authorization result overriding the default group policy and directing the VPN headend to assign a group policy that allows connections.
Depending on what RADIUS server you are using, there may be some step by step guides you can reference. Cisco ISE and Microsoft NPS are the most common ones in this scenario.
12-22-2021 06:06 AM - edited 12-22-2021 06:07 AM
You can do this with LDAP attribute mapping on Cisco Firewalls:
But depending on what type of Radius server you are using you should be able to pass back attributes as well. Several methods to do this depending upon your topology.
Guide is here:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide