Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1339
Views
0
Helpful
1
Replies

Configure a Network Policy for VLANs on ASA

Go to solution
ABaker94985
Spotlight
Spotlight

‎09-17-2021 11:59 AM - edited ‎09-17-2021 12:26 PM

We have a pair of ASA-5545X's running 9.14.2 that we'd like to try to configure Windows NPS for users to be placed into VLANs when they VPN into our firewall. Reference https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-configure and the section on "Configure a Network Policy for VLANs". On the Windows NPS server, Tunnel-Pvt-Group-ID is configured which assigns users in a group to a particular VLAN. Will the ASA understand the attribute and put the user into the correct VLAN? Users do login using SAML for SSO and MFA to Azure, and ISE is not currently available.

 

I should mention I see the VLAN keyword under group-policy, but I don't think this is quite what I need. We have several hundred VPN users, and I don't see a way to lock a user group to a VLAN using this procedure. Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-17-2021 01:27 PM

Hi @ABaker94985,

You can't use VLAN attribute on ASA. This approach is meant for 802.1x on WiFi or Wired. On ASA, you can assign different IP pool, which provides you with similar approach.

For assigning IP pool, chech this thread. There you can see required attribute.

If you are using ASA-Azure integration with SAML, you'll need to add authorize-only server, in order to get this configuration from RADIUS server. You can find some explanation here. I also managed to find this explanation for Microsoft NPS.

This way, you'll get your authentication from SSO, and once authenticated, you'll proceed to authorization, where you can assign your attributes from AAA server.

BR,

Milos

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-17-2021 01:27 PM

Hi @ABaker94985,

You can't use VLAN attribute on ASA. This approach is meant for 802.1x on WiFi or Wired. On ASA, you can assign different IP pool, which provides you with similar approach.

For assigning IP pool, chech this thread. There you can see required attribute.

If you are using ASA-Azure integration with SAML, you'll need to add authorize-only server, in order to get this configuration from RADIUS server. You can find some explanation here. I also managed to find this explanation for Microsoft NPS.

This way, you'll get your authentication from SSO, and once authenticated, you'll proceed to authorization, where you can assign your attributes from AAA server.

BR,

Milos

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card