cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

2736
Views
0
Helpful
3
Replies
Highlighted
Beginner

Restrict certain AD users from VPN access?

Is it possible to deny VPN access to specific AD accounts?

Currently setup with 5520, LDAP authentication for VPN users.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Restrict certain AD users from VPN access?

You can use Dial-in of user account properties and you need to map with this user attribute in the ASA. Configuration will look like this.

ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS

aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP host 172.18.254.49
 server-type microsoft
 ldap-attribute-map CISCOMAP

If you select Allow access in user AD attributes then user can connect vpn otherwise not.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

Restrict certain AD users from VPN access?

No, its not possible with kerberos authentication. but you can do like this, kerberose for authentication and ldap for authorization.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

3 REPLIES 3

Restrict certain AD users from VPN access?

You can use Dial-in of user account properties and you need to map with this user attribute in the ASA. Configuration will look like this.

ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS

aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP host 172.18.254.49
 server-type microsoft
 ldap-attribute-map CISCOMAP

If you select Allow access in user AD attributes then user can connect vpn otherwise not.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

Beginner

Restrict certain AD users from VPN access?

Thanks for the reply.

What if the authentication is Kerberos?

Restrict certain AD users from VPN access?

No, its not possible with kerberos authentication. but you can do like this, kerberose for authentication and ldap for authorization.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here