I've been using SAML on an AnyConnect VPN Connection Profile for some time to trigger MFA. But I would like to limit access of VPN to only members of a particular Windows Active Directory group. Can this be accomplished in ASDM by going to Advanced/Authorization and choosing LDAP assuming that the attributes spelling out the allowed AD group are configured for that server group? I had seen another post about making use of AAA server group for authorization. I tried adding a server group and ticking the box Users must exist in the Authorization database to Connect. But this seemed to fail. Insight appreciated!
Yes, you can use the Cisco Adaptive Security Device Manager (ASDM) to limit access to an AnyConnect VPN connection profile to only members of a particular Windows Active Directory (AD) group. This can be accomplished by configuring an access control list (ACL) on the connection profile in ASDM, which will allow only users who are members of the specified AD group to authenticate and connect to the VPN.
To configure an ACL on an AnyConnect VPN connection profile in ASDM, follow these steps:
Log in to the ASDM web interface and go to the "Configuration" > "Remote Access VPN" > "Network (Client) Access" section.
Click on the "Connection Profiles" tab and then click the "Add" button to create a new connection profile.
Enter a name and description for the connection profile, and then click the "Advanced" button to access the advanced settings.
In the "Group Policies" section, click the "Add" button to create a new group policy.
In the "Group Policy" window, enter a name and description for the group policy, and then select the "Windows Group" option in the "Access Control List Type" dropdown.
In the "Group Name" field, enter the name of the Windows AD group that you want to allow access to the VPN.
Click the "OK" button to save the group policy, and then click the "Apply" button to save the connection profile.
Once you have configured an ACL on the connection profile, only users who are members of the specified AD group will be able to authenticate and connect to the VPN.