Lab Minutes Forum
Technical Discussion => Security => Topic started by: rthurber on August 18, 2013, 01:38:35 PM
-
I'm trying to figure out how to provide unique tunnel policies based on Active Directory groups. I have ASA pointing AnyConnect VPN users to ISE for Radius. In Radius, Authentication is working fine. And I have a Authorization Policy that allows users of a AD group to gain access, but I need to have 2 or moth authorization policies that allow access based on groups. Those Authorizations would then be assigned to unique tunnel policies on the ASA.
-
If I understand your question, I think you need to set a Radius attribute (Class 25) under the individual rules Authorization profile. To do this you'll need to do a couple of things:
- Create a custom Radius Diction for Class 25
- Create a new Authorization Profile (similar to "PermitAccess" but in additional to permit, you will also set the AnyConnect users VPN tunnel policy via the "OU=TunnelPolicyName" attribute
Let me know if you have any questions. And by the way....
YOUUURRR~~ WELCOME!! j/k
-
If I understand your question, I think you need to set a Radius attribute (Class 25) under the individual rules Authorization profile. To do this you'll need to do a couple of things:
- Create a custom Radius Diction for Class 25
- Create a new Authorization Profile (similar to "PermitAccess" but in additional to permit, you will also set the AnyConnect users VPN tunnel policy via the "OU=TunnelPolicyName" attribute
Let me know if you have any questions. And by the way....
YOUUURRR~~ WELCOME!! j/k
Thanks for the solution