Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5510 and Active Directory

Posted on 2009-05-03
9
Medium Priority
?
3,411 Views
Last Modified: 2012-05-06
Hi,

I am looking at purchasing a Cisco ASA 5510 - Question re EZVPN Capabilities....can i base acl's for fine grained control on active directory groups? I know i can tie in for authentication using IAS, but would like to have network access for dial in users based on AD group membership rather than maintained on the firewall itself....

Thanks!
0
Comment
Question by:Jay_Jay70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24293221
0
 
LVL 48

Author Comment

by:Jay_Jay70
ID: 24300899
hmmm i know i can do the Authentication backed onto AD, my question is more based around that member of attribute - can i control my acl's based on this attrib? If member of ""GROUP"" apply ACL 10, if member of ""GROUP 2"" apply acl 2...etc
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24302599
donno .. i quess for downladable acl you got configure cisco ACS server or try with other Radius server and create user profiles based on the AD authentication. never used neither of them sry
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 8

Expert Comment

by:akalbfell
ID: 24304264
yes you can, its very easy to setup dynamic ACL's based on any object. For example i have certain ACL's setup just to block access to certain servers when certain users connect on VPN
0
 
LVL 8

Accepted Solution

by:
akalbfell earned 2000 total points
ID: 24304293
attached is a screenshot from my ASA where you would configure this...

attributes.JPG
0
 
LVL 48

Author Comment

by:Jay_Jay70
ID: 24309974
oh that is unreal - basically what i am trying to get to is a point where everything is based around AD - so if i can have my ASA EZVPN users logging in to VPN and only being able to access specific servers or even ports based on the ACL and their group membership, then i will be a very very happy lad
Thank you very much - thats exactly what i was after
0
 
LVL 48

Author Closing Comment

by:Jay_Jay70
ID: 31577459
Perfect - Many Thanks
0
 
LVL 1

Expert Comment

by:rblasey
ID: 24482279
@ JayJay70 ->
You would assign a GroupPolicy based on AD Group-Membership. Problem - if you are not member if group A(example) - the user is still authenticated and assigned the default group policy. The only way I could think of was a over-restrictive "denay any any" policy as default which would be overridden of another group-policy which the ASA maps via a LDAP-Attribute Map you call when you  configure the AAA-Server. (exactly the screenshot "akalbfelll" uploaded in the "accepted solution".  
I configure a VPN RAS authenticatin based on OU, not group with thsi configuratin I was able the not-authenticat users which where not in that specific OU.
Somehow not a very pretty solution ...
Robert
0
 
LVL 48

Author Comment

by:Jay_Jay70
ID: 24866240
Robert - Mate i completely missed your comment and apologise for not responding with thanks :) I have this thing in front of me today and starting to play around now :)
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question