ASA5515XIOS ver 9.2.3 (or

l.buschi · ‎01-21-2015

Hello,

I have some remote access VPN with local authetication.

I'l like to authenticate my users by RADIUS or LDAP or anything else but I want to associate my users with the following attributes:

group-lock

vpn-filter

Is there a way to accomplish this?

Do you have any simple document step by step?

The AAA server I'll use will be a W2008 or higher.

Thanks

Johnny

AllertGen · ‎01-21-2015

Hello, Johnny.

Can you tell what are you using as VPN server? Is it router or ASA/PIX?

l.buschi · ‎01-21-2015

ASA5515X

IOS ver 9.2.3 (or higher in the future)

AllertGen · ‎01-21-2015

Yes, it's possible to do. There is just example that you can use for AD: http://www.tunnelsup.com/cisco-asa-vpn-authorize-user-based-on-ldap-group

l.buschi · ‎01-21-2015

Thank you very much,

I wonder what if in my AD I have many groups?

I.E. my username johnny is member of INSIDE group (for domain policies) and for NORESTRICT group (for VPN access).

the LDAP lookup will match at first INSIDE group and will not map it with any group policy inheriting the dafault no-access group policy?

Thanks

Johnny

AllertGen · ‎01-22-2015

Hi, Johnny.

ASA can check only matching to "NORESTRICT" group with ignoring all others. So if you would use line:

map-value memberOf CN=NORESTRICT Access_Group

And creater only 1 tunnel-group "Access_Group" than only members of "NORESTRICT" group can connet by VPN. All others will get error at connection.

You can also look at his documentation: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Remote access VPN and vpn-filter attribute inherited by LDAP o RADIUS