01-20-2022 12:08 AM
Dear Sec Team,
I have a question about Remote Access VPN on ASA. I want to configure authentication for users based on Azure AD using login and password, additionally after input credentials it ask me for second auth based on MFA. I found this document:
It is very helpful, but it is for ALL users. In my network I have couple of users groups who should be part of different GROUP-POLICY. For all groups, all users should be authenticate by the same way, but they must be assing to different GROUP-POLICY. I always used ldap integration with ldap-mapping but it was LOCAL AD. We don't have ISE. Is it possible to assing users to different group when I want to use Azure AD/MFA ?
01-20-2022 03:32 AM
Is it possible to assing users to different group when I want to use Azure AD/MFA ?
as i understand correctly you like to use different Groups for authentication, i do not see issue, as long the profiles are bind to use that source.
or you having issue configuring the same ?
create a test profile and add users to that and test it.
01-20-2022 03:53 AM
To better understand I describe connection phases:
1. Client run Anyconnect and connect to my ASA
2. Client must receive prompt for username and password
3. After right credentials, should also receive prompt from MS Authenticator
4. After right token/push/sms it should connect to corporate network
AD and MS Authenticator is on Azure Cloud, configuration is very simple because I paste config guide to this topic, but this config guide desribe situation where we treat all users the same, but in my situation users belong to different group, this groups should has different access premission and my question is based on this, so how solve this situation ? How ASA know to which group user will belong ? If I had local AD it wouldn't be a problem because I can use LDAP and LDAP-MAP, but I want to use Azure.
01-20-2022 05:27 AM
I found the solution:
for multiple tunnel groups I'll need to add multiple applications (2 of them in your case) on Azure side as well
01-20-2022 06:14 AM
Nice that you resolved. and thanks for the feedback.!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide