11-14-2012 01:15 PM
I Have VPN users authenticating with my MS-Active Directory for my internal users.
Now I would like to move my Vendors from a VPN3030 Concentor to Active Directory and use MS-Active Directory for Authentication.
I would like to duplicate the Access list restrictions and filters I have on the VPN3030 on the ASA.
How do I Set up the ASA to get an access list for a user from the MS-Active Directory and apply that to a vpn session.
The AD has fields called msRadiusFramedRoute that looks promising?
Kenneth.
11-16-2012 04:22 AM
Currently you are configurating ldap attribute map on the ASA to map it against a specific group policy.
Have you configured the AD with the access-list, or you are just about to configure it?
Or do you want to just configure the VPN filter on the ASA group-policy itself since you already configure attribute map to map it to a specific group policy.
11-16-2012 09:24 AM
I was hoping instead of creating 20 different Access list on the ASA. have the ASA pull the access-list from
the AD controller for the set of rules that apply to traffic for a specified vendor.
Here is what I want to accomplish.
All vendors access 10.1.3.x network DNS servers.
vendor A access 10.1.20.x network and 10.1.18 network
vendor B access 10.1.18.20 host only and 10.1.15.1/28 network.
vendor C access only host 10.10.10.10
vendor D access only host 10.10.20.25
vendor E access only network 10.100.x.x
etc, etc, etc, etc,
I was hoping to manage it all with AD.
11-17-2012 05:31 AM
ahhh, in that case you can use the ldap attribute map, mapping the ldap attribute "info" to the cisco attribute "Cisco-AV-Pairs".
Here is the ACL syntax for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1763743
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide