I currently have an ASA running with 8.4.(x). The configuration has a group-policy and tunnel-policy for corporate users. This policy authenticates against SDI (RSA server with tokens).
I now need to create another group-policy and tunnel-policy, the differences to the corp group are only:
- Different IP pool
- only certain users are allowed
This second group is for IT personal only when they do certain administrative work. I.e. for normal login to get to their desktop or email, they should be using the corp access. If they login to do work on let us say network switches, they need to use this second group.Only the IP pool of the second group is allowed on another firewall to access the network where the network switches are on.
So how can I restrict what users can use the second group? DAP?
Yes, DAP will do it.
Created DAP entries which match aaa.cisco.username AND aaa.cisco.grouppolicy for each of the users I want to allow access in the second group. Then an entry for our main group and default set to deny.
DAP is a great option. If you have RADIUS support on your RSA box you can also use radius attributes to return tunnel-group attributes and configure tunnel-group lock. LDAP will do this also, but I've never done it with that.
Sent from Cisco Technical Support iPhone App
@Marvin - We use DAP along with RADIUS attributes to accomplish what this user is asking and we do not have the Advanced Endpoint Assessment license. My understanding is that the AEA license is more for posture assesment and remediation.
Advanced Endpoint Assessment : Disabled perpetual
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Hello Team - Please allow me to resurect this old post, is there another way to do this besides DAP or RADIUS (ISE or ACS)?