How do I lock VPN users into a certain group-policy with ASA-ACS 5.2?
I have a Cisco ASA (8.2) with several group-policies setup. By default, I can hit the SSL page, and have a selection of available group-policies for a user to login to. I want to have different ACLs for each group, to go along with the subnet that each particular group hands out. Right now, as long as a user is authenticated through AAA, they can log in to any group they select, and therefore, have more permissions than another group.
I know how to hide the list, but I need to be able to assign a specific group to a user based on an attribute in ACS.
I've setup ACS to use the "CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock" Atttribute, to which I match the group-policy name in the ASA, to the attribute on the user account in ACS.
This doesn't seem to work, and it just throws the user into DfltGrpPlcy, which doesn't give the user anything. So it's either wide-open, or it's broken.
I'm using RADIUS authentication and not TACACS, so it should retrieve the attributes, and according to the ACS, it grabs the attribute during the authentication process.
Re: How do I lock VPN users into a certain group-policy with ASA
not sure why this is not working, you may want to check "debug radius" to verify the ASA is getting the correct attribute. Note that the value should be the name of a Tunnel-group, not of a Group-policy.
Alternatively, toss out the tunnel-group-lock attribute and instead push the group-policy (not the tunnel-group) as IETF attribute 25 ('Class').
This will apply that group-policy regardless of which tunnel-group the user selects (or of course in that case you can hide the group selection box).
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP)
What are the licensing requirements for this solution?
My Devices - For using the password change with My Devices you need plus licenses as ...
In this paper we will document the configuration and operation of an integrated solution that includes identity management, firewall, cloud-based management, and cloud-based logging.
We will use the following Cisco products:
These days everything is in the cloud. We all know that Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. Using Cisco Defense Orchestrator (CDO), you can manage physical or virt...
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that provides a simple, consistent, and highly secure way of managing security policies on all your ASA devices. CDO helps you optimize your ASA environment by identifying problems wi...