Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1002
Views
0
Helpful
3
Replies

ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group.

Go to solution
Ivan Rezvantsev
Level 1
Level 1

ā€Ž02-24-2014 03:45 AM

Hello.

Have some issues, with ssl vpn on ASA 5515-X.

I have ASA (9.1) connected to the  ACS (5.4) and configured anyconnect mobile client and clientless ssl web portal. ACS also have connection to Active Directory.

So it's configured that AD users from group, for example, VPN_clients could connect via anyconnect client or without client via SSL web page. And it's working fine.

My goal is that to make different SSL portal bookmarks (in terms of ASA different Group Polices) according to AD user group.

For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that users from these group after authentication at SSL web portal would see only their own bookmarks available only for their group.

As i inderstand after authentication process ACS must answer to ASA which AD groups the user consist of and ASA must choose the right group policy for the user, but i have no experience how to make this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

ā€Ž02-24-2014 07:45 AM

Hello Ivan,

You are right, ACS can let the ASA know which group-policy should assign based on the RADIUS attribute 25.

Steps on ACS:

1- Defined AD groups:

AD-group-1.png

2- Define the authorization profile under the Policy Elements tab:

policy-element-1.png

3- Create the Authorization policy and access criteria:

access-policy.png

Then, on the ASA:

1- Create a group-policy and name it it.

2- Through the ASDM, create and assign the bookmarks to this group-policy.

3- Once a user authenticates, the ACS sends the attribute 25, which contains the string "ou=it".

4- The ASA looks for the group-policy it and assigns it to the user's session.

Let me know if you have any questions.

HTH.

Please rate any helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Javier Portuguez
Level 9
Level 9

ā€Ž02-24-2014 07:45 AM

Hello Ivan,

You are right, ACS can let the ASA know which group-policy should assign based on the RADIUS attribute 25.

Steps on ACS:

1- Defined AD groups:

AD-group-1.png

2- Define the authorization profile under the Policy Elements tab:

policy-element-1.png

3- Create the Authorization policy and access criteria:

access-policy.png

Then, on the ASA:

1- Create a group-policy and name it it.

2- Through the ASDM, create and assign the bookmarks to this group-policy.

3- Once a user authenticates, the ACS sends the attribute 25, which contains the string "ou=it".

4- The ASA looks for the group-policy it and assigns it to the user's session.

Let me know if you have any questions.

HTH.

Please rate any helpful posts.

0 Helpful

Go to solution
Ivan Rezvantsev
Level 1
Level 1
In response to Javier Portuguez

ā€Ž03-04-2014 08:28 PM

thank you very much, it's working as expected!

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Ivan Rezvantsev

ā€Ž03-05-2014 05:40 AM

Perfect!! You are welcome

0 Helpful
Customers Also Viewed These Support Documents