Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3428
  • Last Modified:

Cisco ASA 5510 and Active Directory

Hi,

I am looking at purchasing a Cisco ASA 5510 - Question re EZVPN Capabilities....can i base acl's for fine grained control on active directory groups? I know i can tie in for authentication using IAS, but would like to have network access for dial in users based on AD group membership rather than maintained on the firewall itself....

Thanks!
0
Jay_Jay70
Asked:
Jay_Jay70
  • 4
  • 2
  • 2
  • +1
1 Solution
 
egyptcoCommented:
0
 
Jay_Jay70Author Commented:
hmmm i know i can do the Authentication backed onto AD, my question is more based around that member of attribute - can i control my acl's based on this attrib? If member of ""GROUP"" apply ACL 10, if member of ""GROUP 2"" apply acl 2...etc
0
 
egyptcoCommented:
donno .. i quess for downladable acl you got configure cisco ACS server or try with other Radius server and create user profiles based on the AD authentication. never used neither of them sry
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
akalbfellCommented:
yes you can, its very easy to setup dynamic ACL's based on any object. For example i have certain ACL's setup just to block access to certain servers when certain users connect on VPN
0
 
akalbfellCommented:
attached is a screenshot from my ASA where you would configure this...

attributes.JPG
0
 
Jay_Jay70Author Commented:
oh that is unreal - basically what i am trying to get to is a point where everything is based around AD - so if i can have my ASA EZVPN users logging in to VPN and only being able to access specific servers or even ports based on the ACL and their group membership, then i will be a very very happy lad
Thank you very much - thats exactly what i was after
0
 
Jay_Jay70Author Commented:
Perfect - Many Thanks
0
 
rblaseyCommented:
@ JayJay70 ->
You would assign a GroupPolicy based on AD Group-Membership. Problem - if you are not member if group A(example) - the user is still authenticated and assigned the default group policy. The only way I could think of was a over-restrictive "denay any any" policy as default which would be overridden of another group-policy which the ASA maps via a LDAP-Attribute Map you call when you  configure the AAA-Server. (exactly the screenshot "akalbfelll" uploaded in the "accepted solution".  
I configure a VPN RAS authenticatin based on OU, not group with thsi configuratin I was able the not-authenticat users which where not in that specific OU.
Somehow not a very pretty solution ...
Robert
0
 
Jay_Jay70Author Commented:
Robert - Mate i completely missed your comment and apologise for not responding with thanks :) I have this thing in front of me today and starting to play around now :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now