Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1818
Views
0
Helpful
1
Replies

Anyconect SAML and Restricting Access by AD Group

CiscoMedMed
Level 1
Level 1

‎12-01-2022 04:51 PM

I've been using SAML on an AnyConnect VPN Connection Profile for some time to trigger MFA. 
But I would like to limit access of VPN to only members of a particular Windows Active Directory
group. Can this be accomplished in ASDM by going to Advanced/Authorization and choosing
LDAP assuming that the attributes spelling out the allowed AD group are configured for that
server group? I had seen another post about making use of AAA server group for authorization.
I tried adding a server group and ticking the box Users must exist in the Authorization database
to Connect. But this seemed to fail. Insight appreciated!

Labels:
0 Helpful
1 Reply 1

MaxShantar
Cisco Employee
Cisco Employee

‎12-09-2022 06:44 PM

Yes, you can use the Cisco Adaptive Security Device Manager (ASDM) to limit access to an AnyConnect VPN connection profile to only members of a particular Windows Active Directory (AD) group. This can be accomplished by configuring an access control list (ACL) on the connection profile in ASDM, which will allow only users who are members of the specified AD group to authenticate and connect to the VPN.

To configure an ACL on an AnyConnect VPN connection profile in ASDM, follow these steps:

  1. Log in to the ASDM web interface and go to the "Configuration" > "Remote Access VPN" > "Network (Client) Access" section.

  2. Click on the "Connection Profiles" tab and then click the "Add" button to create a new connection profile.

  3. Enter a name and description for the connection profile, and then click the "Advanced" button to access the advanced settings.

  4. In the "Group Policies" section, click the "Add" button to create a new group policy.

  5. In the "Group Policy" window, enter a name and description for the group policy, and then select the "Windows Group" option in the "Access Control List Type" dropdown.

  6. In the "Group Name" field, enter the name of the Windows AD group that you want to allow access to the VPN.

  7. Click the "OK" button to save the group policy, and then click the "Apply" button to save the connection profile.

Once you have configured an ACL on the connection profile, only users who are members of the specified AD group will be able to authenticate and connect to the VPN.

0 Helpful
Customers Also Viewed These Support Documents