07-17-2014 03:27 AM - edited 02-21-2020 07:44 PM
Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
It is my understanding that the authentication method is provided by the tunnel-group.
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP_AD
This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect. When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?
07-17-2014 04:27 AM
Fabian,
Your connection lands on a tunnel group and picks a group policy.
A typical way to overcome the problem you're indicating is by using group-url.
a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire.
vide:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
M.
07-17-2014 04:51 AM
Thanks for the suggestion, but just like enabling tunnel-group-list group-url provides a 'variable' to a user which allows the user to change the tunnel-group. I'm aware it's possible to deny certain users to certain tunnel-groups but providing the tunnel-group option might cause confusion.
I'd like users to only remeber a username/password and let LDAP do the rest.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide