Cisco Anyconnect + ASA + 2 Factor Authentication + Authorization + AD/LDAP

Hi Experts

Have recently deployed a Cisco Anyconnect VPN Solution with 2 Factor Authentication and Posture assessment of Client Machines.

I would need to add some authorization to the solution such that I have the following connections profiles setup;

Group A - Default - all users have access (except Group B users)

Group B - Only member of LDAP group "Security" has access

Please could you provide any documentation that might help with this?

Or any useful information

Regards,
LVL 15
Nayyar HH (CCIE RS)Network ArchitectAsked:
Who is Participating?
 
btanExec ConsultantCommented:
Wondering if you saw this. It looks to me in the "Group Policy" to be specified in the connection profile for the VPN client. Also check out where there is option to state the users have to be in certain authriosation DB be to connect ....

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a2b93.shtml?referring_site=smartnavRD

More info on group policy in
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1166190

Two-Factor Authentication and Authorization Mode
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-2mt/sec-conn-sslvpn-ssl-vpn.html#GUID-A25A6E59-2B5A-4CF2-805C-16F141082118
0
 
Nayyar HH (CCIE RS)Network ArchitectAuthor Commented:
Thanks breadtan docs were helpful

Eventually Implemented on the ACS 5.x with Service Selection Rules -

Used Radius attr id 25 on ACS to return group policy to be applied to user (based on his AD group membership)

Didn't need to configure Authorization on ASA as RADIUS was used
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.