ā11-29-2011 01:13 PM - edited ā02-21-2020 05:44 PM
I can't seem to find any documentation to how to get this working. I'm trying to make it so that only users of a certain AD group are authenticated for my Anyconnect VPN on my ASA 8.2.2
I've found the documentation on how to prevent logins using the msNPAllowDialin attribute, but not how to base it on group membership (memberOf)
This is what I have configured:
ldap attribute-map AllowVPN map-name memberOf IETF-Radius-Class map-value memberOf "CN=VPN Users,OU=Groups,OU=City,OU=Country,DC=us,DC=mydom,DC=net" TESTGROUP
aaa-server ADAUTH (inside) host 10.1.1.1
server-port 389
ldap-base-dn DC=us,DC=mydom,DC=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Public,OU=Service,OU=City,OU=Country,DC=us,DC=mydom,DC=net
server-type microsoft
ldap-attribute-map AllowVPN
Do I need to do any kind of restrictions inside the actual group-policy TESTGROUP ?
Solved! Go to Solution.
ā11-29-2011 04:01 PM
Jeff (if I may),
You can do terminate/continue/banner options based on information received during different phases in DAP.
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
Note "figured 6" indicating usage of "memberOf".
It requires some testing but DAP looks to me like a natural way to go.
Marcin
ā11-29-2011 04:01 PM
Jeff (if I may),
You can do terminate/continue/banner options based on information received during different phases in DAP.
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
Note "figured 6" indicating usage of "memberOf".
It requires some testing but DAP looks to me like a natural way to go.
Marcin
ā11-30-2011 08:13 AM
Thanks, DAP does seem to be the way to go with this. I found a similar article to what you posted last night which confirmed the same type of screenshots.
I will just have to set time aside to update my policies on my ASA to take advantage of this. I guess as a best practice in the future, I need to make sure I update the DfltAccessPolicy to Terminate from the start, because I have a number of production services on my ASA which could be effected if I do change it now.
Thanks!
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide