Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
0
Helpful
1
Replies

LDAP mapping to Group Policy using Certificates

donovan.chetty
Level 1
Level 1

‎02-26-2014 10:00 PM

Hello,

We are implementing a new AnyConnect VPN solution using certificate based authentication. One of the key requirements is to create 3 different group polices whereby the appropriate restrictions will be applied. The requires that user recieve IP addresses from different pools and filtering will be applied based on these incoming addresses.

I am trying to achieve the following:

1. Being certificate based authentication, user is not required to enter login credentials. The user certificate should be used to authenticate the user. (this is currently working)

2. Based on the "some attribute" in the certificate -> I want to map the user to a specific group policy on the ASA and ultimately to the corresponding group on LDAP. This way, the filtering on the group policy will then kick in.

Can anybody assist on this?

Thanks.

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎02-27-2014 12:53 AM

You can try extracting that field from ASA and making _authorization_ (not authentication) call to your LDAP to see which group that should be.

i.e.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/uz.html#wp1634024

+

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ref_extserver.html#wp1661573

Didn't try it, but conceptually should work.

0 Helpful
Customers Also Viewed These Support Documents