Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
0
Helpful
4
Replies

Anyconnect, with ISE and LDAP Attributes for groups to remove drop down

tahscolony
Level 1
Level 1

‎04-04-2017 09:32 AM - edited ‎02-21-2020 09:14 PM

I am looking to eliminate the need for the drop down list, and just assign a users policy based on their GPO in AD through ISE.   Was looking at this doc, http://www.petenetlive.com/KB/Article/0001155 , but it retains the group drop down.  I don't want to over complex it either(I don't want to own it IYKWIM), so should be fairly easy to manage.

I would also like to incorporate Two Factor using Certs, and not the breath mints(can you still get those?).  I have two options for Certs, push then out via the ASA, which means a separate item to admin, or through AD, either through ISE or a windows Cert server.  We do have APEX licenses, ISE and X model ASA, so have pretty much the latest and greatest.

Which method would work best in this situation then, using ISE, or using LDAP as per this, http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html ?

End goal, needs to be dumbed down the the Executive level. Client clicks, auths and that is all. One step better would be click clicks and thats all, but now were into SSO and LBSO.

Labels:
0 Helpful
4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

‎04-04-2017 10:57 AM

For your requirements, you should remove all group-aliases and have everyone fall into the Default Tunnel group. The group-policy assignment can then be made by AD membership. IF you have created a specific tunnel group (other that the default), change your group-url so that https://<vpn_fqdn>; points to that tunnel-group directly.

0 Helpful

tahscolony
Level 1
Level 1
In response to Rahul Govindan

‎04-25-2017 09:21 AM

Can the URL be the base URL with a /group_name in it?  Like https://remote-access.mycompany.com/clientless, ; and https://remote-access.mycompany.com/client ?

0 Helpful

tahscolony
Level 1
Level 1

‎04-25-2017 09:19 AM

Got ISE and DACL working with AD memberships, now to figure out how to setup access so that if a user is a member of Portal, which is the Clientless one, that they wont download the client, but get a CIFS share instead, and Client members would install the client.

0 Helpful

tahscolony
Level 1
Level 1
In response to tahscolony

‎04-25-2017 02:12 PM

Figured it out, got it all working through ISE.   ASA VPN and the group-policy name under results is where it is.

0 Helpful
Customers Also Viewed These Support Documents