cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3343
Views
0
Helpful
3
Replies
Highlighted
Beginner

Restrict certain AD users from VPN access?

Is it possible to deny VPN access to specific AD accounts?

Currently setup with 5520, LDAP authentication for VPN users.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

You can use Dial-in of user account properties and you need to map with this user attribute in the ASA. Configuration will look like this.

ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS

aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP host 172.18.254.49
 server-type microsoft
 ldap-attribute-map CISCOMAP

If you select Allow access in user AD attributes then user can connect vpn otherwise not.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

Highlighted

No, its not possible with kerberos authentication. but you can do like this, kerberose for authentication and ldap for authorization.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

3 REPLIES 3
Highlighted

You can use Dial-in of user account properties and you need to map with this user attribute in the ASA. Configuration will look like this.

ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS

aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP host 172.18.254.49
 server-type microsoft
 ldap-attribute-map CISCOMAP

If you select Allow access in user AD attributes then user can connect vpn otherwise not.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

Highlighted

Thanks for the reply.

What if the authentication is Kerberos?

Highlighted

No, its not possible with kerberos authentication. but you can do like this, kerberose for authentication and ldap for authorization.

With Regards,

Safwan

Don't forget to rate helpful posts

View solution in original post

Content for Community-Ad