07-20-2009 04:02 AM
Hi!
We have one ASA5510. I set two group for remote vpns, and both uses NT-domain authentication. How can I set tunnel-group lock for the users in both group.
How can I lock the user to the group. Is there any configuration in Active Directory to set group for users.
I don't know what is the solution, I have found nothing.
Please help, thank you!
Gabor
Solved! Go to Solution.
07-21-2009 06:56 AM
The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.
07-20-2009 06:09 AM
There are a few ways that this can be accomplished. You can statically configure a connection profile lock on the respective group policy that the users are being assigned to. You could also use an LDAP attribute map to match a particular field in AD. For example, you configure your ASA connection profiles to match internal departments. Users in AD who are part of the Engineering department should get locked to the Engineering connection profile. You can achieve this type of configuration using the following:
ldap attribute-map Tunnel-Lock
map-name department Tunnel-Group-Lock
07-21-2009 12:52 AM
Hi, Todd!
Thank you! this is what i want.
(please post a message to close this topic - I failed the rating)
thanks Gabor
07-21-2009 02:17 AM
Hi,
Something is not clear.
In the example what is the "department" on the AD? What means particular field? do I have to enlarge the AD schema?
or what?
07-21-2009 06:56 AM
The "department" field that I was speaking to would an attribute assigned to the user account in Active Directory.
07-21-2009 10:17 PM
Ok! thank you, I found this field in AD.
There is a good guide here:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html
bye, Gabor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide