Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
927
Views
0
Helpful
4
Replies

Anyconnect authentication via Radius (IAS) using AD groups

JEFF SPRADLING
Level 1
Level 1

‎03-19-2013 11:47 AM

Hi all,

I'm trying to figure out how to setup our ASA to use AD group membership to assign users a profile using Radius.  The goal is to setup different access into the network. 

For instance, one group would be allowed full access to the network, including access to infrastructure elements (ASA, routers, etc.)

Another group will be given basic access to the network, but no access to the DMZ.

Another group will be allowed access to the DMZ server, but not to the infrastructure.

We're currently using Radius (IAS) on Windows Server 2003.  Is there a way to check group membership in AD using Radius? 

I'd like to keep this as simple as possible, so I'm thinking of each profile using a different VPN Pool, then using split-tunneling to put routes, or not, to the required networks on the users device.  The users would only belong to one group in AD.  They will be able to choose their group, but if they're not a member they should be denied.

I've done LDAP authentication using group membership, but we need good accounting and logging so we'd like to use the Radius server.  I've looked for this info everywhere, but it's pretty elusive. 

Thanks for any suggestions, links, step-by-step instructions or volunteers to come on-site and help

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎03-21-2013 11:12 AM

IMO a more elegant solution is to use DAP on your ASA.

http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a0080bf4915.shtml#member

Hope it helps.

0 Helpful

JEFF SPRADLING
Level 1
Level 1
In response to Collin Clark

‎03-21-2013 01:41 PM

Thanks, Collin, but elegent in this case means complicated, and that just doesn't work for me in this situation.  There has to be a simplier way...

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to JEFF SPRADLING

‎03-21-2013 01:46 PM

It's significantly easier with security products like Cisco Identity Services Engine, but you're adding infrastrcture and cost. Next best thing is DAP. DAP is actually pretty easy, don't let the config guide scare you away from it. IMO MS Radius stinks for anything other than basic authentication so I never use it for anything else.

0 Helpful

JEFF SPRADLING
Level 1
Level 1
In response to Collin Clark

‎03-22-2013 07:23 AM

Thanks again, Collin.  DAP seems pretty handy, and it looks like it can do exactly what I need; however, to authenticate and apply ALCs by AD Group membership, I'll still be using LDAP authentication so I won't get good logs on end user connections.  I think I'll keep digging on the Radius login and see if I can't come up with some other method.

0 Helpful
Customers Also Viewed These Support Documents