Anyconnect Authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 04:21 PM
Hello,
We are currently using a Radius server to authenticate users using Anyconnect. The Radius server is tied to MS AD\Domain Users & \Domain Computers. So, any user who has an AD account can login using their AD creds.
I have an assignment to create a new connection profile so that specific end-users can authenticate against specific AD group called "SG_NtwkSupport"
How do I go about configuring a Connection profile/Global Policy where it points/links to the Radius server where that Radius server in linked to the AD\SG_NtwkSupport group?
Thanks in advance.
~zK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 07:33 PM
Hi,
below will give good guide
https://www.petenetlive.com/KB/Article/0001474
Good luck
KB
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2021 07:35 PM - edited 12-20-2021 07:36 PM
We do this most commonly with an LDAP Attribute map.
However it can also be done in a pure RADIUS environment. Generally speaking, the VPN headend has a default group policy that allows zero connections. Once a user authenticates (and assuming they are in the group that the RADIUS server checks for) the RADIUS server returns an Authorization result overriding the default group policy and directing the VPN headend to assign a group policy that allows connections.
Depending on what RADIUS server you are using, there may be some step by step guides you can reference. Cisco ISE and Microsoft NPS are the most common ones in this scenario.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2021 06:06 AM - edited 12-22-2021 06:07 AM
You can do this with LDAP attribute mapping on Cisco Firewalls:
But depending on what type of Radius server you are using you should be able to pass back attributes as well. Several methods to do this depending upon your topology.
Guide is here:
