Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
2
Replies

Cisco AnyConnect authenticate against LDAP group membership

cammaher
Level 1
Level 1

‎10-01-2014 01:46 AM - edited ‎02-21-2020 07:51 PM

Hi,

In short, we are trying to create a Anyconnect profile on our Cisco ASA that authenticates against our LDAP (AD), but will only authenticate against a particular group. So, if your user account is a member of the group you are authenticated, if not, authentication fails.

Our current setup is 2 x Cisco ASA 5525-x running in HA, version 9.1(2). They are working to provide remote access via the Cisco AnyConnect for all of our remote users. Currently we have a AAA server setup to authenticate against the LDAP directory and that is working perfectly. As mentioned we wanted to create another AnyConnect policy that would authenticate against the same LDAP directory but only provide successful authentication is the user account was a member of that particular group.

 

Any help/direction would be greatly appreciated. Please let me know if you need more information.


Thanks,
Cam

Labels:
0 Helpful
2 Replies 2

adamtodd16
Level 3
Level 3

‎10-01-2014 08:34 AM

Are you using Windows Server for Radius? 

If so, create a remote access policy that requires the user to be a member of a windows-group. 

0 Helpful

cammaher
Level 1
Level 1
In response to adamtodd16

‎10-01-2014 04:54 PM

Hi Adam,

Thanks for the response. We aren't using Windows server for Radius.

The options we have is to use LDAP directly or we do have a Cisco ACS that authenticates using TACACS+.

 

Any other ideas?

Thanks.

0 Helpful
Customers Also Viewed These Support Documents