cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
433
Views
0
Helpful
1
Replies
Highlighted
Beginner

Assigning ACLs through remote access VPN based on group

Hello,

I want to restrict access to remote access users based on group membership. There could be 100 at some point.

LDAP attribute maps work, but I would have to update the LDAP attribute map and create a group policy for each group.

DAPs work also but I'm running in multi-context mode which Cisco says is not supported.

 

I would rather use DAPs.Does anyone use DAPs for checking group membership in multi-context mode without issue?

 

Or are VPN filters a better option?

 

is there a best practice for this?

 

 

 

1 REPLY 1
Highlighted
Advocate

You can use dynamic VPN filters based on the AD group the user is in. But this would require a Radius server doing the Authentication and Authorization (you can easily use the NPS functionality on Windows server). You would need to pass the filter-id attribute back to the ASA and have the ACL defined locally.
An example using ACS is given here:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113449-asa-vpn-acs-00.html#new

IMO LDAP attribute maps might be easier to configure than using Radius or DAP. This is because you still have to manually configure the policy conditions on the NPS or ASDM GUI respectively. LDAP attribute maps allows you to configure the entire thing via CLI, which makes it easier for multiple changes at once.
Content for Community-Ad