Anyconnect integration with AD using ldap protocol

mohamed.fawzy2012 · ‎09-04-2016

i have already integrated ASA with Active Directory Using ldap protocol and it is working fine , but now i want to let specific group on Active Directory

allowing to access anyconnect vpn not all AD users

example of AD tree :

Mednet.com

Group A

Group B

Group C

Group D

so i want only group B can access anyconnect vpn

JP Miranda Z · ‎09-04-2016

Hi mohamed.fawzy2012,

You can use LDAP mapping in order to allow AnyConnect Access depending of an AD group, this link can help you with the common questions and configuration examples:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Hope this info helps!!

Rate if helps you!!

-JP-

Richard Burts · ‎09-05-2016

I have done an implementation using LDAP mapping as suggested by JP and it worked well. More recently I have done an implementation using Dynamic Access Policy on ASA to check LDAP group membership which is working well. Mapping is perhaps a bit more straightforward to set up and DAP has more flexibility to handle things like membership in multiple groups.

HTH

Rick

HTH

Rick

mohamed.fawzy2012 · ‎09-05-2016

how can i implement DAP , kindly provide me with an example

Marvin Rhoads · ‎09-05-2016

Like this:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

or this:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html

Richard Burts · ‎09-06-2016

You might also want to take a look at this link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_dap.html?referring_site=RE&pos=2&page=http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#62710

HTH

Rick

HTH

Rick