cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
276
Views
0
Helpful
1
Replies

LDAP mapping to Group Policy using Certificates

donovan.chetty
Level 1
Level 1

Hello,

We are implementing a new AnyConnect VPN solution using certificate based authentication. One of the key requirements is to create 3 different group polices whereby the appropriate restrictions will be applied. The requires that user recieve IP addresses from different pools and filtering will be applied based on these incoming addresses.

I am trying to achieve the following:

1. Being certificate based authentication, user is not required to enter login credentials. The user certificate should be used to authenticate the user. (this is currently working)

2. Based on the "some attribute" in the certificate -> I want to map the user to a specific group policy on the ASA and ultimately to the corresponding group on LDAP. This way, the filtering on the group policy will then kick in.

Can anybody assist on this?

Thanks.

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

You can try extracting that field from ASA and making _authorization_ (not authentication) call to your LDAP to see which group that should be.

i.e.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/uz.html#wp1634024

+

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ref_extserver.html#wp1661573

Didn't try it, but conceptually should work.