03-19-2013 11:47 AM
Hi all,
I'm trying to figure out how to setup our ASA to use AD group membership to assign users a profile using Radius. The goal is to setup different access into the network.
For instance, one group would be allowed full access to the network, including access to infrastructure elements (ASA, routers, etc.)
Another group will be given basic access to the network, but no access to the DMZ.
Another group will be allowed access to the DMZ server, but not to the infrastructure.
We're currently using Radius (IAS) on Windows Server 2003. Is there a way to check group membership in AD using Radius?
I'd like to keep this as simple as possible, so I'm thinking of each profile using a different VPN Pool, then using split-tunneling to put routes, or not, to the required networks on the users device. The users would only belong to one group in AD. They will be able to choose their group, but if they're not a member they should be denied.
I've done LDAP authentication using group membership, but we need good accounting and logging so we'd like to use the Radius server. I've looked for this info everywhere, but it's pretty elusive.
Thanks for any suggestions, links, step-by-step instructions or volunteers to come on-site and help
03-21-2013 11:12 AM
IMO a more elegant solution is to use DAP on your ASA.
http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a0080bf4915.shtml#member
Hope it helps.
03-21-2013 01:41 PM
Thanks, Collin, but elegent in this case means complicated, and that just doesn't work for me in this situation. There has to be a simplier way...
03-21-2013 01:46 PM
It's significantly easier with security products like Cisco Identity Services Engine, but you're adding infrastrcture and cost. Next best thing is DAP. DAP is actually pretty easy, don't let the config guide scare you away from it. IMO MS Radius stinks for anything other than basic authentication so I never use it for anything else.
03-22-2013 07:23 AM
Thanks again, Collin. DAP seems pretty handy, and it looks like it can do exactly what I need; however, to authenticate and apply ALCs by AD Group membership, I'll still be using LDAP authentication so I won't get good logs on end user connections. I think I'll keep digging on the Radius login and see if I can't come up with some other method.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide