Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4218
Views
0
Helpful
3
Replies

Restrict certain AD users from VPN access?

Go to solution
aelsbernd
Level 1
Level 1

‎12-14-2012 08:10 AM

Is it possible to deny VPN access to specific AD accounts?

Currently setup with 5520, LDAP authentication for VPN users.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Muhammed Safwan
Level 1
Level 1

‎12-14-2012 08:22 AM

You can use Dial-in of user account properties and you need to map with this user attribute in the ASA. Configuration will look like this.

ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS

aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP host 172.18.254.49
 server-type microsoft
 ldap-attribute-map CISCOMAP

If you select Allow access in user AD attributes then user can connect vpn otherwise not.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

0 Helpful

Go to solution
Muhammed Safwan
Level 1
Level 1
In response to aelsbernd

‎12-14-2012 08:52 AM

No, its not possible with kerberos authentication. but you can do like this, kerberose for authentication and ldap for authorization.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Muhammed Safwan
Level 1
Level 1

‎12-14-2012 08:22 AM

You can use Dial-in of user account properties and you need to map with this user attribute in the ASA. Configuration will look like this.

ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS

aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP host 172.18.254.49
 server-type microsoft
 ldap-attribute-map CISCOMAP

If you select Allow access in user AD attributes then user can connect vpn otherwise not.

With Regards,

Safwan

Don't forget to rate helpful posts

0 Helpful

Go to solution
aelsbernd
Level 1
Level 1
In response to Muhammed Safwan

‎12-14-2012 08:28 AM

Thanks for the reply.

What if the authentication is Kerberos?

0 Helpful

Go to solution
Muhammed Safwan
Level 1
Level 1
In response to aelsbernd

‎12-14-2012 08:52 AM

No, its not possible with kerberos authentication. but you can do like this, kerberose for authentication and ldap for authorization.

With Regards,

Safwan

Don't forget to rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents