04-14-2015 01:31 PM - edited 02-21-2020 08:10 PM
So, once again I am in need of assistance.
We are in the process of setting up our ASA and I have 2 VPN's setup, one for tunnel all and the other for split-tunnel. The issue is I want to put all domain users (excluding admins) on the tunnel all vpn. The Domain admins I want to put on split-tunnel. I've tried to use the ldap-mapping but it seems to only add groups, not to each profile but to all profiles. Is there a way of saying all domain users, use this tunnel, all domain admins use this tunnel.
I've done lots of reading but I seem to be overwhelmed with getting everything else setup on it.
Currently running a 5525-X latest IOS and ASDM.
Thanks in advance.
Stacey
04-15-2015 12:52 PM
You can do it with DAP (dynamic access Policies) - If the LDAP users is memberOf = admins user split tunnel policy - tunnel list below, else tunnel policy = tunnel all.
You can do the same creating two separate group-policy.
Create a LDAP map that maps:
ldap attribute-map test
map-name memberOf IETF-Radius-Class
map-value memberOf Admin goup-policy1
map-value memberOf vpn-user group-policy2
The radius attribute "Class" tells the ASA what group-policy that user should be placed in.
By creating the LDAP map you will say: convert (LDAP memberOf: Admin) to RADIUS (RADIUS Class: group-policy1)
You can't use "domain users" for group-policy2 because the admins are also domain users. Create a separate group and add all users except admins.
04-20-2015 08:15 AM
Thanks for the explanation it actually makes sense now. I will give this ago.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide