How can I block a user from an AnyConnect group?

We have multiple AnyConnect profiles on our ASA.  All these profiles authenticate with Active Directory using RADIUS.  We're trying to secure this by allowing certain people to VPN for certain resources, instead of full access to everything.  I have a VPN and it ACLed to a certain server group and this user is locked down to login to just those servers.  But in Active Directory he has the dial in allowed, so technically he can authenticate to other AnyConnect groups.  How can I lock it down to allow him to just use one AnyConnect Group?
LVL 2
doppleherz69Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jaagdiCommented:
You can either you RADIUS Attribute Support and RADIUS Authorization functions OR you can use LDAP(see below) and thus control access based on groups:

=====================================================
Setting the LDAP Server Type

The security appliance supports LDAP version 3 and is compatible with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server), the Microsoft Active Directory, and other LDAPv3 directory servers.

By default, the security appliance auto-detects whether it is connected to a Microsoft Active Directory, a Sun LDAP directory server, or a generic LDAPv3 directory server. However, if auto-detection fails to determine the LDAP server type, and you know the server is either a Microsoft, Sun or generic LDAP server, you can manually configure the server type using the keywords sun, microsoft, or generic. The following example sets the LDAP directory server ldap_dir_1 to the Sun Microsystems type:

hostname(config)# aaa-server ldap_dir_1 protocol ldap

hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4

hostname(config-aaa-server-host)# server-type sun

hostname(config-aaa-server-host)#

Note•Sun—The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.

•Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory.

•Generic—The security appliance does not support password management with a generic LDAPv3 directory server.
===========================================================

Hope this helps :-).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.