We help IT Professionals succeed at work.

Cisco ASA 5510 and Active Directory

Jay_Jay70
Jay_Jay70 asked
on
3,444 Views
Last Modified: 2012-05-06
Hi,

I am looking at purchasing a Cisco ASA 5510 - Question re EZVPN Capabilities....can i base acl's for fine grained control on active directory groups? I know i can tie in for authentication using IAS, but would like to have network access for dial in users based on AD group membership rather than maintained on the firewall itself....

Thanks!
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2006

Author

Commented:
hmmm i know i can do the Authentication backed onto AD, my question is more based around that member of attribute - can i control my acl's based on this attrib? If member of ""GROUP"" apply ACL 10, if member of ""GROUP 2"" apply acl 2...etc

Commented:
donno .. i quess for downladable acl you got configure cisco ACS server or try with other Radius server and create user profiles based on the AD authentication. never used neither of them sry
yes you can, its very easy to setup dynamic ACL's based on any object. For example i have certain ACL's setup just to block access to certain servers when certain users connect on VPN
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2006

Author

Commented:
oh that is unreal - basically what i am trying to get to is a point where everything is based around AD - so if i can have my ASA EZVPN users logging in to VPN and only being able to access specific servers or even ports based on the ACL and their group membership, then i will be a very very happy lad
Thank you very much - thats exactly what i was after
CERTIFIED EXPERT
Top Expert 2006

Author

Commented:
Perfect - Many Thanks

Commented:
@ JayJay70 ->
You would assign a GroupPolicy based on AD Group-Membership. Problem - if you are not member if group A(example) - the user is still authenticated and assigned the default group policy. The only way I could think of was a over-restrictive "denay any any" policy as default which would be overridden of another group-policy which the ASA maps via a LDAP-Attribute Map you call when you  configure the AAA-Server. (exactly the screenshot "akalbfelll" uploaded in the "accepted solution".  
I configure a VPN RAS authenticatin based on OU, not group with thsi configuratin I was able the not-authenticat users which where not in that specific OU.
Somehow not a very pretty solution ...
Robert
CERTIFIED EXPERT
Top Expert 2006

Author

Commented:
Robert - Mate i completely missed your comment and apologise for not responding with thanks :) I have this thing in front of me today and starting to play around now :)
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.