06-21-2021 07:16 AM
Is there a way to provide users with different GPs based on their Azure AD group membership while using SAML?
Most popular SAML guide's about providing only default group-policy to tunnel-group.
Solved! Go to Solution.
06-21-2021 11:50 AM - edited 06-21-2021 11:51 AM
Yes, you can use an external AAA server with protocols as Radius or LDAP to perform the authorization part.
This authorization server can send a specific group-policy for the connection.
For example, if using Radius, the server can send attribute 25 which is for the group-policy assignment.
If LDAP, attribute ldap mapping can be used, link for config:
Then, you would configure the AAA server under the SAML tunnel-group with the command: "authorization-server-group".
Rate if it helps.
Regards,
Josue Brenes
TAC - VPN Engineer.
06-21-2021 11:50 AM - edited 06-21-2021 11:51 AM
Yes, you can use an external AAA server with protocols as Radius or LDAP to perform the authorization part.
This authorization server can send a specific group-policy for the connection.
For example, if using Radius, the server can send attribute 25 which is for the group-policy assignment.
If LDAP, attribute ldap mapping can be used, link for config:
Then, you would configure the AAA server under the SAML tunnel-group with the command: "authorization-server-group".
Rate if it helps.
Regards,
Josue Brenes
TAC - VPN Engineer.
06-23-2021 01:08 AM
You knew it! Seems to be working OK, thank you!
BTW is there a way to evade 'Cisco AnyConnect Login, Pick an account' window after you've successfully authorized once? Could be good to have one single click to start and complete the connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide