Anyconnect VPN AD group specific

Stacey Hummer · ‎04-14-2015

So, once again I am in need of assistance.

We are in the process of setting up our ASA and I have 2 VPN's setup, one for tunnel all and the other for split-tunnel. The issue is I want to put all domain users (excluding admins) on the tunnel all vpn. The Domain admins I want to put on split-tunnel. I've tried to use the ldap-mapping but it seems to only add groups, not to each profile but to all profiles. Is there a way of saying all domain users, use this tunnel, all domain admins use this tunnel.

I've done lots of reading but I seem to be overwhelmed with getting everything else setup on it.

Currently running a 5525-X latest IOS and ASDM.

Thanks in advance.

Stacey

guibarati · ‎04-15-2015

You can do it with DAP (dynamic access Policies) - If the LDAP users is memberOf = admins user split tunnel policy - tunnel list below, else tunnel policy = tunnel all.

You can do the same creating two separate group-policy.

Create a LDAP map that maps:

ldap attribute-map test
map-name memberOf IETF-Radius-Class
map-value memberOf Admin goup-policy1
map-value memberOf vpn-user group-policy2

The radius attribute "Class" tells the ASA what group-policy that user should be placed in.

By creating the LDAP map you will say: convert (LDAP memberOf: Admin) to RADIUS (RADIUS Class: group-policy1)

You can't use "domain users" for group-policy2 because the admins are also domain users. Create a separate group and add all users except admins.

Stacey Hummer · ‎04-20-2015

Thanks for the explanation it actually makes sense now. I will give this ago.