We help IT Professionals succeed at work.

CISCO ASA Restrict access to SSLVPN Client or WEB VPN based on Radius group from AD.

wlhelp
wlhelp asked
on
Medium Priority
904 Views
Last Modified: 2012-08-13
I currently have the SSLVPN CLIENT and WEBVPN configured to use radius.  What I would like to do is create two AD groups one for the SSLVPN CLIENT users and one for WEBVPN users.  The SSLVPN CLIENT and WEBVPN are configured using separate policies on the ASA.  I can't figure out how to do this without setting up another radius server.
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
As part of each on the ASA policy you can define the cisco group.
On the Radius server one of the check items is the group.
i.e. part of the request the ASA in addition to transmitting the username/password/its IP it also sends a "group id" (I think it falls under the vendor specific attribute).

Configuring the IAS such that it uses this parameter as part of the check.

You would need to register with dslreports.net to view this:
http://www.dslreports.com/faq/8420

See if the below is helpful though approaches the same thing by directly querying the AD versus going through a radius server.



Author

Commented:
I've seen other articles point to the group ID.  I can't however under Server 2003 IAS find which attribute to use as "group id" is not present.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Not sure whether it is provided from the cisco as a Vendor-specific-attribute.
This is what you would use as one of your items.
vendor-specific-attribute=group1, username, password, etc. this is VPN1

vendor-specific-attribute=group2, username, password, etc. this is VPN2.

Check Cisco's site it has many different examples.  You could find an example there or within EE.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.