Hi Cisco Experts,
I know there is a way to configure Ldap map for getting authentication ans authorization to specified groups only. Is there any way to configure the same for 2F authentication.
Let me brief you here my requirement.
I have configured 2 Remote Access VPNs(RAVPN1G and RAVPN2G) using RSA-2F authentication. Now there are 2 user-groups in RSA ( USER1G and USER2G). Now both user groups are able to login to both groups. We want to restrict in such a way so that USER1G should be able to login to RAVPN1G only but not to other one and vice versa. We can do it in RSA but is there any to define the same in ASA.
Is the ASA talking to the RSA server using Radius or SDI protocol?
If it is Radius, then you can use the Tunnel-Group-Lock feature along with Radius class attribute to lock an AD user to a particular tunnel-group.
How it works:
User1G will have Radius class attribute (25) set to "OU=GroupPolicy1" on AD
User2G will have Radius class attribute (25) set to "OU=GroupPolicy2" on AD
GroupPolicy1 will have group-lock set to RAVPN1G and GroupPolicy2 will have RAVPN2G.
When User1 connects, they will receive the Group policy as GroupPolicy1 - which only allows them to connect via RAVPN1G. Similar for User2.
Thanks for response but
1.> Users are not configured locally but it takes from Radius.(ASA is talking to RSA server using Radius)
2.>"OU=GroupPolicy1" on AD ( How AD is required here)
3.>Can you please give CLI configuration for class attribute (25) set to "OU=GroupPolicy1" on AD
1) If Radius is the protocol and RSA is using internally defined users (on the RSA server itself), then the server should reply back with Radius attribute 25 (Class) set to value as "OU=GroupPolicy1). There is no Cisco documentation on the RSA server part that I could find, but searching through RSA's docs, I was able to find information on setting Radius user attributes on RSA server here:
2) If AD was being used as identity store for users, the Radius attribute would be set on the Domain controller for the users. IF you are not using AD, then the RADIUS attribute has to be returned by RSA server.
3) For AD settings, please refer to the below guide:
The ASA does not require any configuration to map Class to Group-Policy, this is done automatically.
can you help with following configuration.
currently ASA and AD integration is done and group policies are mapped to AD user group.
ldap attribute-map ANYCONNECT
map-name memberOf Group-Policy
map-value memberOf "CN=CP-Users,OU=VPN-Access,OU=Corp-Users,DC=cisco,DC=org" CP-USERS-GP
now AD is replaced with Microsoft MFA and need to have similar kind of mapping. but i am not able to find relevant mapping under radius server.
AAA server configuration commands:
accounting-port Specify the port number to be used for accounting
acl-netmask-convert Specify the ACL Downloadable Netmask Operation
authentication-port Specify the port number to be used for authentication
exit Exit from aaa-server host configuration mode
group-search-timeout Specify the maximum time to wait for response from
configured server when using the 'show ad-groups'
help Help for AAA server configuration commands
key Specify the secret used to authenticate the NAS to the
mschapv2-capable Enter this keyword to indicate that the server supports
MSChap V2 requests
no Remove an item from aaa-server host configuration
proxy-auth_map Specify proxy auth protocol table type
radius-common-pw Specify a common password for all RADIUS authorization
retry-interval Specify the amount of time between retry attempts
timeout Specify the maximum time to wait for response from
how to get user group ( MFA - attribute 25 abstract from AD ) to match vpn group policy?
This mapping is automatically done by the ASA for Radius without any config required. All you need to do is set the Class attribute (Radius 25) through NPS extension for MFA. The ASA will map this attribute to the group-policy.
NPS extension with Azure MFA is here:
ASA NPS integration is here:
Perhaps some old topic, but almost same situation:
1) Cisco ASA
2) NPS as Radius
3) Two RA VPN profiles/groups (for example VPN1group, VPN2group) with different access rights and different VPN profiles (P1 and P2)
4) Users: us1, us2, us3, us4, us5
How to make us5 the member of both groups at the same time?
The goal is to allow user us5 to have both vpn profiles and to use corresponding profile based of access required.