Yes, you need to have the Class 25 attribute be "OU=GroupPolicy" and the user must be a member of a group named "GroupPolicy" in Active Directory. You must use a RADIUS server to send back the attribute. What kind of RADIUS server are you using?

Thanks for your reply.

I use Microsoft IAS. But I have already created different AD groups and set up accordingly in the ASA. So it works when the users manually select which policy/profile to use during login.

But now that I've got 3-4 different scenarios (ad group memberships or ASA profiles) I want the ASA to be able to hide the profile drop-down box (I know how to do that) and then select the proper policy/profile automatically based on which AD group the user is a member of.

I hope I make some kind of sense?

/Rasmus

Yes, it makes sense. Have a look at this link:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde3f0c

For each different scenario you will need to have a separate AD group (which it sounds like you already have). On the ASA, you will need to create a Group Policy for each AD group. I believe the drop down box lets a user select the tunnel group/connection policy. You only need to use one tunnel group. Set a default group policy for this tunnel group. When a user connects on this tunnel group, types in their username and password, the AD group that matches the Group Policy will be dynamically assigned to that user which bypasses the Group policy that is assigned to the user. These Group Policies need to be named exactly the same for this to work. So it would probably be easier to rename the AD group names to match the Group Policies on the ASA.

Let me know if you have any other questions.

Tony

Hello,

with a default connection policy every AD user is authenticated. Is it possible to deny non AD group members?

Regards,

Raymond