cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6547
Views
10
Helpful
7
Replies

VPN anyconnect with machine in the domain

marcio.tormente
Level 4
Level 4

hello folks,

I would like to configure my vpn to recognize and allow to connect to the VPN only if the machine is member of domain (AD).

It is possible?

How can I do it?

Obs: My VPN have a DAP configured to recognize member of group in the AD (users)

Thanks

Marcio

2 Accepted Solutions

Accepted Solutions

Hi Marcio,

I see, ok in that case what you would want is to deploy HostScan so it can scan the endpoint connecting to the ASA. this scan report will be sent to the ASA and you can create DAP policies against certain attributes that will allow the connection. Once you have applied the DAPs you want to permit then you need to set the default DAP to terminate all connections. make sure you be very specific with the permit DAPs and that your client comply with what you are matching otherwise you may have unauthorized clients connecting or users that are unable to connect. the endpoints that don't meet the criteria will get the default and terminate the connection.

DAP and HostScan being so versatile it is hard to find documentation on that or specific configuration examples. I think the requirement is to run 8.4 or higher though. We can help you here at TAC with the configuration if you need assistance. 

Hope this helps.

View solution in original post

Hello Amdhage!

I solve this problem with DAP as you mantion, this work fine.

I don´t have MAC in my client, for this reason, I din´t have to worry about.

Thanks for your support.

View solution in original post

7 Replies 7

Hi Marco,

I'm unsure if when you say member of an AD domain you mean member of a specific security group in AD. If this is the case then yes this is possible, this can be done with LDAP attribute mapping on the ASA, this can also be done with Radius mapping however this needs to be done on the server not the ASA when using Radius. You can also do something similar with certificate mapping. DAP can also be used together with it and continue to assign the attributes that you are assigning depending on what you are matching on the DAP.

Here are a few links for the mapping methods I mentioned before:

ASA Use of LDAP Attribute Maps Configuration Example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

PIX/ASA 8.0: Use LDAP Authentication to Assign a Group Policy at Loginhttp://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

ASA AnyConnect Double Authentication with Certificate Validation, Mapping, and Pre-Fill Configuration Guide http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html

Configure ACS to Assign a Group Policy at Login using RADIUS http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/98608-radius-assign-group-policy.html

Hope this helps.

Hello William,

Thanks for your support

The DAP that is configured is to use LDAP and the people only can authenticate if they are member of a group, this works very well.

Now my customer want provide VPN only if the computer is registered on the domain controller, in other word, if the person want to use VPN in theys personal computer, will be not possible, then I need to make sure tht, when this person try to connect to the VPN is chek if they computer is registered on the AD.

Thanks

Hi Marcio,

I see, ok in that case what you would want is to deploy HostScan so it can scan the endpoint connecting to the ASA. this scan report will be sent to the ASA and you can create DAP policies against certain attributes that will allow the connection. Once you have applied the DAPs you want to permit then you need to set the default DAP to terminate all connections. make sure you be very specific with the permit DAPs and that your client comply with what you are matching otherwise you may have unauthorized clients connecting or users that are unable to connect. the endpoints that don't meet the criteria will get the default and terminate the connection.

DAP and HostScan being so versatile it is hard to find documentation on that or specific configuration examples. I think the requirement is to run 8.4 or higher though. We can help you here at TAC with the configuration if you need assistance. 

Hope this helps.

Thanks William,

Open a TAC case I think is the best option.

amdhage
Level 1
Level 1

Hello Amdhage!

I solve this problem with DAP as you mantion, this work fine.

I don´t have MAC in my client, for this reason, I din´t have to worry about.

Thanks for your support.

Hi,

I have the same requirements, could you please share the configuration details or any guide, currently I am using DAP with Ldap query to AD for user verification and now additionally I need to verify the domain PC.