Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2786
Views
5
Helpful
2
Replies

Anyconect SAML and multiple group-policies

Go to solution
Roman Samoylov
Level 1
Level 1

‎06-21-2021 07:16 AM

Is there a way to provide users with different GPs based on their Azure AD group membership while using SAML?

Most popular SAML guide's about providing only default group-policy to tunnel-group.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎06-21-2021 11:50 AM - edited ‎06-21-2021 11:51 AM

Yes, you can use an external AAA server with protocols as Radius or LDAP to perform the authorization part.

This authorization server can send a specific group-policy for the connection.

For example, if using Radius, the server can send attribute 25 which is for the group-policy assignment.

If LDAP, attribute ldap mapping can be used, link for config:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Then, you would configure the AAA server under the SAML tunnel-group with the command: "authorization-server-group".

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

View solution in original post

2 Replies 2

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎06-21-2021 11:50 AM - edited ‎06-21-2021 11:51 AM

Yes, you can use an external AAA server with protocols as Radius or LDAP to perform the authorization part.

This authorization server can send a specific group-policy for the connection.

For example, if using Radius, the server can send attribute 25 which is for the group-policy assignment.

If LDAP, attribute ldap mapping can be used, link for config:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Then, you would configure the AAA server under the SAML tunnel-group with the command: "authorization-server-group".

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

Go to solution
Roman Samoylov
Level 1
Level 1
In response to Josue Brenes

‎06-23-2021 01:08 AM

You knew it! Seems to be working OK, thank you!

 

BTW is there a way to evade 'Cisco AnyConnect Login, Pick an account' window after you've successfully authorized once? Could be good to have one single click to start and complete the connection.

0 Helpful
Customers Also Viewed These Support Documents