Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
5
Helpful
3
Replies

SSL VPN Authentication using AD Group

Go to solution
ramesh.8901
Level 1
Level 1

‎11-19-2015 05:35 AM

Hi All,

I've been trying to restrict users from authenticating to the SSL VPN using an AD server. I've setup the AAA server with the IP address of the AD server and have assigned it to the Connection-Profile as well; however i see that any user who is a part of a group in AD is able to get authenticated.

I only want users who are a part of the AD group "VPN Users" to get authenticated whereas currently anyone and everyone who has AD credentials and not even a part of the AD group "VPN Users" is getting authenticated.

Can someone advice how i can make the ASA authenticate users based on AD groups? I'm using the ASDM to configure my RA VPNs.

Thanks in advance!

Regards,

Ramesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
eranthon
Level 1
Level 1

‎11-19-2015 06:13 AM

Hi Ramesh,

Try using DAP to restrict access to users belonging to a specific AD group :

https://supportforums.cisco.com/document/7691/asa-8x-dynamic-access-policies-dap-deployment-guide

Use the AAA attribute "LDAP .member of" to allow access to users belonging to a specific group and deny access to other users.

regards

Eric

View solution in original post

0 Helpful
3 Replies 3

Go to solution
eranthon
Level 1
Level 1

‎11-19-2015 06:13 AM

Hi Ramesh,

Try using DAP to restrict access to users belonging to a specific AD group :

https://supportforums.cisco.com/document/7691/asa-8x-dynamic-access-policies-dap-deployment-guide

Use the AAA attribute "LDAP .member of" to allow access to users belonging to a specific group and deny access to other users.

regards

Eric

0 Helpful

Go to solution
Ramesh.Ramani
Level 1
Level 1
In response to eranthon

‎11-23-2015 01:03 AM

Apologies for the delay in response eranthon. 

I have currently used several DAPs on the ASA. But when i use a DAP to state that anyone who is NOT a member of "AD Master Group Authentication" and select "Terminate" all the remaining DAPs fail.

When i tried implementing this as A MEMBER OF "AD Master Group Authentication" (rather than NOT) and select "Continue" and i let a default catch all DAP (to deny/terminate anyone not mathing anything else), it doesnt work. For some reason the default catch all DAP doesnt seem to work.

Any idea why? 

0 Helpful

Go to solution
eranthon
Level 1
Level 1
In response to Ramesh.Ramani

‎12-28-2015 08:52 PM

To view which all daps are getting applied to your session 

do a "debug dap trace 255".. you will see a line selected daps in the output.. make sure you are not hitting any other DAP policy  that is allowing access to the user.

Customers Also Viewed These Support Documents