Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
2
Replies

SSL VPN and DAP with AD

netbin2009
Level 1
Level 1

‎03-06-2012 09:37 AM

Hi!

I´m trying to solve a problem with my asa 5510. I would like to publish applications behind Clientless SSL VPN for different users that will belong to groups created in AD. Do i have to use URL to get to the complete separations for bookmarks and for example redirect to a webserver and other layout and access rule at the portal?

I will try to explain what would be ideal and lets see if someone will come up with a solution.

User A (member of ad group RDP_CIFS) logs in and gets a couple of bookmarks to RDP server and also access to Common and Home drive via cifs.

User B (member of ad group Redirect2Site) logs in and get redirected to a internal published rdweb/ericom/citrix server login page.

User C (member of ad group RDP2Server1) logs in and gets only a published rdp connection to server1.

I would like to achive this without the user having to choose in dropbox (for url) or editing the url in adressfield.

The ASA is connected via MSKCD Kerberos AAA server group and my idea was to use DAP for making the the AD group selection of what is published in a new DAP policy.

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-06-2012 11:09 AM

Hello Fredrik,

I think your suggestion is the solution to this treath, I mean doing this via a DAP makes sense. Then the user will be mapped to the right Connection profile without the necessity from him to select the profile.

And you can also custom your own DAP so you can set the right bookmarks for each one of them deppending on the attributes of the AAA server ( the attributes will need to be LDAP,RADIUS or CISCO)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

netbin2009
Level 1
Level 1
In response to Julio Carvajal

‎03-06-2012 11:23 PM

I have tried this via DAP but i get stuck. How should i configure Connection profiles, Group Policys, Dynamic Access Policies so that user gets different bookmarks and stuff depending on AD group belonging?

If i disable DfltAccessPolicy and creates a new dap where i put the suggested group from AD under Selection Criteria (ldap.memberof=ADGROUP) i´m not able to login at the sslvpn portal. Some other forums suggest the use of Cisco attribute to map against AD to make selection. I´m not really sure if i understand hos this should help.

Regards,

Fredrik

0 Helpful
Customers Also Viewed These Support Documents