Solved: ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group

Ivan Rezvantsev · ‎02-24-2014

Hello.

Have some issues, with ssl vpn on ASA 5515-X.

I have ASA (9.1) connected to the ACS (5.4) and configured anyconnect mobile client and clientless ssl web portal. ACS also have connection to Active Directory.

So it's configured that AD users from group, for example, VPN_clients could connect via anyconnect client or without client via SSL web page. And it's working fine.

My goal is that to make different SSL portal bookmarks (in terms of ASA different Group Polices) according to AD user group.

For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that users from these group after authentication at SSL web portal would see only their own bookmarks available only for their group.

As i inderstand after authentication process ACS must answer to ASA which AD groups the user consist of and ASA must choose the right group policy for the user, but i have no experience how to make this?

Javier Portuguez · ‎02-24-2014

Hello Ivan,

You are right, ACS can let the ASA know which group-policy should assign based on the RADIUS attribute 25.

Steps on ACS:

1- Defined AD groups:

2- Define the authorization profile under the Policy Elements tab:

3- Create the Authorization policy and access criteria:

Then, on the ASA:

1- Create a group-policy and name it it.

2- Through the ASDM, create and assign the bookmarks to this group-policy.

3- Once a user authenticates, the ACS sends the attribute 25, which contains the string "ou=it".

4- The ASA looks for the group-policy it and assigns it to the user's session.

Let me know if you have any questions.

HTH.

Please rate any helpful posts.

View solution in original post

Javier Portuguez · ‎02-24-2014