Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3039
Views
0
Helpful
1
Replies

ASA - Radius Authentication and LDAP Authorisation

ketanbhogaita
Level 1
Level 1

‎09-14-2011 08:16 AM

Hi All,

I'm aware that you can authenticate and authorise end-users using either Radius or LDAP on an ASA for remote and or Admin users?

But was wondering if you can combine the two so authentication is done via Radius and LDAP for authorisation i.e. if user in Sales group within AD then allow them access to specific server if user member of engineering give them access to different servers?

If possible then I would like to set this up so that my users can be allowed to access specific devices on the local LAN when remote.

Kind regards,

Ketan

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎09-17-2011 02:50 PM

Hi Ketan,

yes that should be no problem. You define 2 aaa-server's:

aaa-server myradius protocol radius etc.etc.

aaa-server myldap protocol ldap etc etc.

tunnel-group mytg ...

  authentication-server-group myradius
  authorization-server-group myldap

For more details, check the config guide:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1470514

Then there are different ways to apply different policies/access-lists/... to different AD groups, have a look at this document:

The document explains how to permit/deny access to the network based on AD settings, but similarly you can use different DAP policies to apply ACLs, or use an LDAP map to map to different group-policies.

If any of it is not clear, let us know.

hth

Herbert

--

If this post answers your question, please click the "Correct Answer" button

0 Helpful
Customers Also Viewed These Support Documents