Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5510 and Active Directory

Posted on 2009-05-03
9
Medium Priority
?
3,415 Views
Last Modified: 2012-05-06
Hi,

I am looking at purchasing a Cisco ASA 5510 - Question re EZVPN Capabilities....can i base acl's for fine grained control on active directory groups? I know i can tie in for authentication using IAS, but would like to have network access for dial in users based on AD group membership rather than maintained on the firewall itself....

Thanks!
0
Comment
Question by:Jay_Jay70
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24293221
0
 
LVL 48

Author Comment

by:Jay_Jay70
ID: 24300899
hmmm i know i can do the Authentication backed onto AD, my question is more based around that member of attribute - can i control my acl's based on this attrib? If member of ""GROUP"" apply ACL 10, if member of ""GROUP 2"" apply acl 2...etc
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24302599
donno .. i quess for downladable acl you got configure cisco ACS server or try with other Radius server and create user profiles based on the AD authentication. never used neither of them sry
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 8

Expert Comment

by:akalbfell
ID: 24304264
yes you can, its very easy to setup dynamic ACL's based on any object. For example i have certain ACL's setup just to block access to certain servers when certain users connect on VPN
0
 
LVL 8

Accepted Solution

by:
akalbfell earned 2000 total points
ID: 24304293
attached is a screenshot from my ASA where you would configure this...

attributes.JPG
0
 
LVL 48

Author Comment

by:Jay_Jay70
ID: 24309974
oh that is unreal - basically what i am trying to get to is a point where everything is based around AD - so if i can have my ASA EZVPN users logging in to VPN and only being able to access specific servers or even ports based on the ACL and their group membership, then i will be a very very happy lad
Thank you very much - thats exactly what i was after
0
 
LVL 48

Author Closing Comment

by:Jay_Jay70
ID: 31577459
Perfect - Many Thanks
0
 
LVL 1

Expert Comment

by:rblasey
ID: 24482279
@ JayJay70 ->
You would assign a GroupPolicy based on AD Group-Membership. Problem - if you are not member if group A(example) - the user is still authenticated and assigned the default group policy. The only way I could think of was a over-restrictive "denay any any" policy as default which would be overridden of another group-policy which the ASA maps via a LDAP-Attribute Map you call when you  configure the AAA-Server. (exactly the screenshot "akalbfelll" uploaded in the "accepted solution".  
I configure a VPN RAS authenticatin based on OU, not group with thsi configuratin I was able the not-authenticat users which where not in that specific OU.
Somehow not a very pretty solution ...
Robert
0
 
LVL 48

Author Comment

by:Jay_Jay70
ID: 24866240
Robert - Mate i completely missed your comment and apologise for not responding with thanks :) I have this thing in front of me today and starting to play around now :)
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question