How can I block a user from an AnyConnect group?

We have multiple AnyConnect profiles on our ASA.  All these profiles authenticate with Active Directory using RADIUS.  We're trying to secure this by allowing certain people to VPN for certain resources, instead of full access to everything.  I have a VPN and it ACLed to a certain server group and this user is locked down to login to just those servers.  But in Active Directory he has the dial in allowed, so technically he can authenticate to other AnyConnect groups.  How can I lock it down to allow him to just use one AnyConnect Group?
Who is Participating?
You can either you RADIUS Attribute Support and RADIUS Authorization functions OR you can use LDAP(see below) and thus control access based on groups:

Setting the LDAP Server Type

The security appliance supports LDAP version 3 and is compatible with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server), the Microsoft Active Directory, and other LDAPv3 directory servers.

By default, the security appliance auto-detects whether it is connected to a Microsoft Active Directory, a Sun LDAP directory server, or a generic LDAPv3 directory server. However, if auto-detection fails to determine the LDAP server type, and you know the server is either a Microsoft, Sun or generic LDAP server, you can manually configure the server type using the keywords sun, microsoft, or generic. The following example sets the LDAP directory server ldap_dir_1 to the Sun Microsystems type:

hostname(config)# aaa-server ldap_dir_1 protocol ldap

hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host

hostname(config-aaa-server-host)# server-type sun


Note•Sun—The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.

•Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory.

•Generic—The security appliance does not support password management with a generic LDAPv3 directory server.

Hope this helps :-).
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.