Friday, June 17, 2011

Use LDAP Authentication to Assign a Group Policy at Login

Finally after some head scratching, it worked! Now I can permit only AD users belong to
a certainAD group to connect to our ASA by anyconnect client.

If you did some research already, you might already know about step 1 and 2 but
the making work is all about step 3!

Step 1: Define your AD and your profile, explained here:

http://www.block.net.au/blogs/james/pages/active-directory-vpn-authentication-with-a-cisco-asa-5510-series-appliance.aspx

Step 2: The memberOf attribute is mapped to Radius-IETF-Class by the configured LDAP Attibute map:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Note: This part need to be done in CLI:

ciscoasa(config)#ldap attribute-map CISCOMAP
ciscoasa(config-ldap-attribute-map)#map-name memberOf IETF-Radius-Class
ciscoasa(config-ldap-attribute-map)#map-value memberOf CN=Employees,CN=Users,
DC=yourplace,DC=com ExamplePolicy1

Now you can do the rest in ASDM.


Step 3: The Ldap attribute map created in previous steps just bind the group-policy to the user.If you want to restrict the access, you need DAP.

http://www.ciscosystems.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml


So now you just need to create a DAP policy to reject users belong to this connection profile
and not part of the AD group:








Troubleshooting:

debug dap trace
debug ldap 255

No comments:

Post a Comment