a certainAD group to connect to our ASA by anyconnect client.
If you did some research already, you might already know about step 1 and 2 but
the making work is all about step 3!
Step 1: Define your AD and your profile, explained here:
http://www.block.net.au/blogs/james/pages/active-directory-vpn-authentication-with-a-cisco-asa-5510-series-appliance.aspx
Step 2: The memberOf attribute is mapped to Radius-IETF-Class by the configured LDAP Attibute map:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Note: This part need to be done in CLI:
ciscoasa(config)#ldap attribute-map CISCOMAP
ciscoasa(config-ldap-attribute-map)#map-name memberOf IETF-Radius-Class
ciscoasa(config-ldap-attribute-map)#map-value memberOf CN=Employees,CN=Users,
DC=yourplace,DC=com ExamplePolicy1
Now you can do the rest in ASDM.
Step 3: The Ldap attribute map created in previous steps just bind the group-policy to the user.If you want to restrict the access, you need DAP.
http://www.ciscosystems.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
So now you just need to create a DAP policy to reject users belong to this connection profile
and not part of the AD group:
Troubleshooting:
debug dap trace
debug ldap 255
No comments:
Post a Comment