11-19-2015 05:35 AM
Hi All,
I've been trying to restrict users from authenticating to the SSL VPN using an AD server. I've setup the AAA server with the IP address of the AD server and have assigned it to the Connection-Profile as well; however i see that any user who is a part of a group in AD is able to get authenticated.
I only want users who are a part of the AD group "VPN Users" to get authenticated whereas currently anyone and everyone who has AD credentials and not even a part of the AD group "VPN Users" is getting authenticated.
Can someone advice how i can make the ASA authenticate users based on AD groups? I'm using the ASDM to configure my RA VPNs.
Thanks in advance!
Regards,
Ramesh
Solved! Go to Solution.
11-19-2015 06:13 AM
Hi Ramesh,
Try using DAP to restrict access to users belonging to a specific AD group :
https://supportforums.cisco.com/document/7691/asa-8x-dynamic-access-policies-dap-deployment-guide
Use the AAA attribute "LDAP .member of" to allow access to users belonging to a specific group and deny access to other users.
regards
Eric
11-19-2015 06:13 AM
Hi Ramesh,
Try using DAP to restrict access to users belonging to a specific AD group :
https://supportforums.cisco.com/document/7691/asa-8x-dynamic-access-policies-dap-deployment-guide
Use the AAA attribute "LDAP .member of" to allow access to users belonging to a specific group and deny access to other users.
regards
Eric
11-23-2015 01:03 AM
Apologies for the delay in response eranthon.
I have currently used several DAPs on the ASA. But when i use a DAP to state that anyone who is NOT a member of "AD Master Group Authentication" and select "Terminate" all the remaining DAPs fail.
When i tried implementing this as A MEMBER OF "AD Master Group Authentication" (rather than NOT) and select "Continue" and i let a default catch all DAP (to deny/terminate anyone not mathing anything else), it doesnt work. For some reason the default catch all DAP doesnt seem to work.
Any idea why?
12-28-2015 08:52 PM
To view which all daps are getting applied to your session
do a "debug dap trace 255".. you will see a line selected daps in the output.. make sure you are not hitting any other DAP policy that is allowing access to the user.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide