Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
3
Helpful
1
Replies

how do i use an active directory group for vpn and not all user

Neetu Bhushan
Level 1
Level 1

‎07-11-2013 08:39 AM - edited ‎03-11-2019 07:11 PM

hi all,

i have an asa 5515x...

how do i use a particular group in active directory to have vpn/anyconnect access?  right now i believe it's for all user on my current config,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

!integrate with active directory

aaa-server LDAPSERVERS protocol ldap

aaa-server LDAPSERVERS (vlan192) host 10.0.0.2

ldap-base-dn dc=company,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password 12345678

ldap-login-dn cn=administrator,cn=Users,dc=company,dc=com

server-type auto-detect

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

say i want this "vpn-group" object group in AD and my vpn is only anyconnect and no other vpn types.

thanks for any comment you may add.

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-12-2013 06:24 AM

The best way is to use Dynamic Access Policies (DAP). Cisco has a white paper (here) that shows how one can choose the LDAP group as one of the DAP criteria.

DAP requires the Advanced Endpoint Assessment feature, so your licensing must support that.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card