Solved

Cisco ASA 5510 and Active Directory

Posted on 2009-05-03
9
3,396 Views
Last Modified: 2012-05-06
Hi,

I am looking at purchasing a Cisco ASA 5510 - Question re EZVPN Capabilities....can i base acl's for fine grained control on active directory groups? I know i can tie in for authentication using IAS, but would like to have network access for dial in users based on AD group membership rather than maintained on the firewall itself....

Thanks!
0
Comment
Question by:Jay_Jay70
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24293221
0
 
LVL 48

Author Comment

by:Jay_Jay70
ID: 24300899
hmmm i know i can do the Authentication backed onto AD, my question is more based around that member of attribute - can i control my acl's based on this attrib? If member of ""GROUP"" apply ACL 10, if member of ""GROUP 2"" apply acl 2...etc
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24302599
donno .. i quess for downladable acl you got configure cisco ACS server or try with other Radius server and create user profiles based on the AD authentication. never used neither of them sry
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24304264
yes you can, its very easy to setup dynamic ACL's based on any object. For example i have certain ACL's setup just to block access to certain servers when certain users connect on VPN
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 8

Accepted Solution

by:
akalbfell earned 500 total points
ID: 24304293
attached is a screenshot from my ASA where you would configure this...

attributes.JPG
0
 
LVL 48

Author Comment

by:Jay_Jay70
ID: 24309974
oh that is unreal - basically what i am trying to get to is a point where everything is based around AD - so if i can have my ASA EZVPN users logging in to VPN and only being able to access specific servers or even ports based on the ACL and their group membership, then i will be a very very happy lad
Thank you very much - thats exactly what i was after
0
 
LVL 48

Author Closing Comment

by:Jay_Jay70
ID: 31577459
Perfect - Many Thanks
0
 
LVL 1

Expert Comment

by:rblasey
ID: 24482279
@ JayJay70 ->
You would assign a GroupPolicy based on AD Group-Membership. Problem - if you are not member if group A(example) - the user is still authenticated and assigned the default group policy. The only way I could think of was a over-restrictive "denay any any" policy as default which would be overridden of another group-policy which the ASA maps via a LDAP-Attribute Map you call when you  configure the AAA-Server. (exactly the screenshot "akalbfelll" uploaded in the "accepted solution".  
I configure a VPN RAS authenticatin based on OU, not group with thsi configuratin I was able the not-authenticat users which where not in that specific OU.
Somehow not a very pretty solution ...
Robert
0
 
LVL 48

Author Comment

by:Jay_Jay70
ID: 24866240
Robert - Mate i completely missed your comment and apologise for not responding with thanks :) I have this thing in front of me today and starting to play around now :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now