We have a number of Employees and 3rd Party users who access our VPN. The 3rd parties are from different organisations as they support different pieces of kit. Both may be in multiple AD Groups as both work internally and externally at times.
Upto now we have used an LDAP attribute map to place users in different groups e.g. Employees or Contractors.
I am looking to deploy some Cisco 5525X's and want to use DAP to get more granular on the privileges assigned to Contractors.
Is it possible to somehow identify say Contractor 1 from Contractor 2 through DAP by matching on the different AD Groups that Contractor 1 may be in versus Contractor 2. Separation in this way then allows me to use downloadable ACL's etc.
You can use the LDAP attribute memberof in order to distinguish users from different AD security groups.
For instance attribute memberof with a value ContractorGroup1 will match any users who are members of the CotractorGroup1 AD security group.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
