wlhelp
asked on
CISCO ASA Restrict access to SSLVPN Client or WEB VPN based on Radius group from AD.
I currently have the SSLVPN CLIENT and WEBVPN configured to use radius. What I would like to do is create two AD groups one for the SSLVPN CLIENT users and one for WEBVPN users. The SSLVPN CLIENT and WEBVPN are configured using separate policies on the ASA. I can't figure out how to do this without setting up another radius server.
ASKER
I've seen other articles point to the group ID. I can't however under Server 2003 IAS find which attribute to use as "group id" is not present.
Not sure whether it is provided from the cisco as a Vendor-specific-attribute.
This is what you would use as one of your items.
vendor-specific-attribute= group1, username, password, etc. this is VPN1
vendor-specific-attribute= group2, username, password, etc. this is VPN2.
Check Cisco's site it has many different examples. You could find an example there or within EE.
This is what you would use as one of your items.
vendor-specific-attribute=
vendor-specific-attribute=
Check Cisco's site it has many different examples. You could find an example there or within EE.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On the Radius server one of the check items is the group.
i.e. part of the request the ASA in addition to transmitting the username/password/its IP it also sends a "group id" (I think it falls under the vendor specific attribute).
Configuring the IAS such that it uses this parameter as part of the check.
You would need to register with dslreports.net to view this:
http://www.dslreports.com/faq/8420
See if the below is helpful though approaches the same thing by directly querying the AD versus going through a radius server.