cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
5
Helpful
3
Replies

SSL VPN Authentication using AD Group

ramesh.8901
Level 1
Level 1

Hi All,

I've been trying to restrict users from authenticating to the SSL VPN using an AD server. I've setup the AAA server with the IP address of the AD server and have assigned it to the Connection-Profile as well; however i see that any user who is a part of a group in AD is able to get authenticated.

I only want users who are a part of the AD group "VPN Users" to get authenticated whereas currently anyone and everyone who has AD credentials and not even a part of the AD group "VPN Users" is getting authenticated.

Can someone advice how i can make the ASA authenticate users based on AD groups? I'm using the ASDM to configure my RA VPNs.

Thanks in advance!

Regards,

Ramesh

1 Accepted Solution

Accepted Solutions

eranthon
Level 1
Level 1

Hi Ramesh,

Try using DAP to restrict access to users belonging to a specific AD group :

https://supportforums.cisco.com/document/7691/asa-8x-dynamic-access-policies-dap-deployment-guide

Use the AAA attribute "LDAP .member of" to allow access to users belonging to a specific group and deny access to other users.

regards

Eric

View solution in original post

3 Replies 3

eranthon
Level 1
Level 1

Hi Ramesh,

Try using DAP to restrict access to users belonging to a specific AD group :

https://supportforums.cisco.com/document/7691/asa-8x-dynamic-access-policies-dap-deployment-guide

Use the AAA attribute "LDAP .member of" to allow access to users belonging to a specific group and deny access to other users.

regards

Eric

Apologies for the delay in response eranthon. 

I have currently used several DAPs on the ASA. But when i use a DAP to state that anyone who is NOT a member of "AD Master Group Authentication" and select "Terminate" all the remaining DAPs fail.

When i tried implementing this as A MEMBER OF "AD Master Group Authentication" (rather than NOT) and select "Continue" and i let a default catch all DAP (to deny/terminate anyone not mathing anything else), it doesnt work. For some reason the default catch all DAP doesnt seem to work.

Any idea why? 

To view which all daps are getting applied to your session 

do a "debug dap trace 255".. you will see a line selected daps in the output.. make sure you are not hitting any other DAP policy  that is allowing access to the user.