Hey all,

I am continueing work on getting my new ASA VPN ready for production. I have gotten LDAP authentication working and can match group membership as part of authentication. I am slowly but surely getting there.

I now have a new problem. Should I be able to have the policy check multiple sub-domains? If so, how? I have two sub-domains in my forest with users from both connecting via VPN. I have created groups in both sub-domains to check membership and the AD account I am using has access to both sub-domains as well. I am fully qualifying the group in the map-value but have not found a way to do an "or" or specify a secondary.

Based upon the above, my next question is how do I handle the mlutiple tunnel groups I currently have defined on our current 3020 VPN concentrator? Can I have policies that can be correlated with the unique tunnels or do I simply have a generic policy that everyone has to meet? I am basically trying to verify that the tunnel a user is comming into is acutally the tunnel they should be using.

Maybe too extreme?

Maybe I am taking the wrong approach?

I am open to suggestions. The ultimate goal here is to take what is in production on my VPN concentrator that is only using username and password and migrate it all to the ASA VPN and integrate it into LDAP. I have about 25 tunnels that I will recreate but am trying to figure out the besy way to handle the authentication. These groups include both employee and vendor acces and are part of both of the sub-domains. Management is requesting as granular as possible without maiking things a management nightmare but at the same time keep security as high as possible.

Brent