![]() Petes-ASA(config)# tunnel-group PNL-TG-ANYCONNECT-ACCESS general-attributes NOTE: HERE IT WILL FAIL BACK TO 'LOCAL' AUTH IF LDAP GOES DOWN (THIS IS GOOD!) Then create a user group that you want to grant An圜onnect Access to Īnd, then create a test user and put that user in your domain group.Ĭreate an AAA LDAP Server Group > Add a Server > Put in the Config for that server like so I’ll post both options, and you can take your pick Solutionįirstly you need to create a ‘service account’ in Active Directory that the ASA will use, it only need to be able to browse the AD, so a simple Domain User is fine. different ACLs etc.) then using a blend of LDAP and Cisco Dynamic Access Policies (DAP) is a lot simpler. Though to be honest if you have multiple groups and want to assign different levels of access (i.e. The process is to setup AAA for LDAP, then create an ‘Attribute map’ for the domain group, and then map that group to a particular ASA Tunnel Group/ASA Group Policy. I had to put in an ASA5512-X this weekend and the client wanted to allow An圜onnect to a particular Domain Security Group “VPN-Users”, so I thought I would use LDAP for a change. Because I fear and loath change I swapped to using Kerberos VPN Authentication for a while. Then Microsoft brought out 2008/2012 and RADIUS via NAP. When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use RADIUS with IAS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |