Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1494
Views
0
Helpful
1
Replies

Configure a Network Policy for VLANs on ASA

Go to solution
ABaker94985
Spotlight
Spotlight

‎09-17-2021 11:59 AM - edited ‎09-17-2021 12:26 PM

We have a pair of ASA-5545X's running 9.14.2 that we'd like to try to configure Windows NPS for users to be placed into VLANs when they VPN into our firewall. Reference https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-configure and the section on "Configure a Network Policy for VLANs". On the Windows NPS server, Tunnel-Pvt-Group-ID is configured which assigns users in a group to a particular VLAN. Will the ASA understand the attribute and put the user into the correct VLAN? Users do login using SAML for SSO and MFA to Azure, and ISE is not currently available.

 

I should mention I see the VLAN keyword under group-policy, but I don't think this is quite what I need. We have several hundred VPN users, and I don't see a way to lock a user group to a VLAN using this procedure. Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-17-2021 01:27 PM

Hi @ABaker94985,

You can't use VLAN attribute on ASA. This approach is meant for 802.1x on WiFi or Wired. On ASA, you can assign different IP pool, which provides you with similar approach.

For assigning IP pool, chech this thread. There you can see required attribute.

If you are using ASA-Azure integration with SAML, you'll need to add authorize-only server, in order to get this configuration from RADIUS server. You can find some explanation here. I also managed to find this explanation for Microsoft NPS.

This way, you'll get your authentication from SSO, and once authenticated, you'll proceed to authorization, where you can assign your attributes from AAA server.

BR,

Milos

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-17-2021 01:27 PM

Hi @ABaker94985,

You can't use VLAN attribute on ASA. This approach is meant for 802.1x on WiFi or Wired. On ASA, you can assign different IP pool, which provides you with similar approach.

For assigning IP pool, chech this thread. There you can see required attribute.

If you are using ASA-Azure integration with SAML, you'll need to add authorize-only server, in order to get this configuration from RADIUS server. You can find some explanation here. I also managed to find this explanation for Microsoft NPS.

This way, you'll get your authentication from SSO, and once authenticated, you'll proceed to authorization, where you can assign your attributes from AAA server.

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card