Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
1
Replies

Assigning ACLs through remote access VPN based on group

alandean
Level 1
Level 1

‎10-21-2017 12:55 PM - edited ‎03-12-2019 04:39 AM

Hello,

I want to restrict access to remote access users based on group membership. There could be 100 at some point.

LDAP attribute maps work, but I would have to update the LDAP attribute map and create a group policy for each group.

DAPs work also but I'm running in multi-context mode which Cisco says is not supported.

 

I would rather use DAPs.Does anyone use DAPs for checking group membership in multi-context mode without issue?

 

Or are VPN filters a better option?

 

is there a best practice for this?

 

 

 

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎10-23-2017 06:13 AM

You can use dynamic VPN filters based on the AD group the user is in. But this would require a Radius server doing the Authentication and Authorization (you can easily use the NPS functionality on Windows server). You would need to pass the filter-id attribute back to the ASA and have the ACL defined locally.
An example using ACS is given here:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113449-asa-vpn-acs-00.html#new

IMO LDAP attribute maps might be easier to configure than using Radius or DAP. This is because you still have to manually configure the policy conditions on the NPS or ASDM GUI respectively. LDAP attribute maps allows you to configure the entire thing via CLI, which makes it easier for multiple changes at once.
0 Helpful
Customers Also Viewed These Support Documents