Hi all,
My requirement is to setup RADIUS authentication and authorization using Any connect client in ASA 6.2 (ASDM 8.0, 5200).
I have successfully setup the user authentication through anyconnect VPN client. This user resides in AD,and the validation of username,password and OTP(security code) happens in RADIUS server.(This RADIUS server is configured to use AD as user store).Here is how i have done it:
IN ASA,
1) Created a server group and added RADIUS as the server in it.Configured the RADIUS settings.
2) Created an IP pool.
3) Created a group policy.
4) Created an any connect connection profile by providing the AAA server, IP pool, group policy details.
As of now, when i launch any connect client and provide the username,password (here its a combination of password + OTP) and select the group(connection profile),authentication is successful and an IP from the pool gets assigned to the client. I can see the ACCESS GRANTED logs in the RADIUS Server.
But my question here is how do i perform the user authorization in ASA 5520 after a successful user authentication through any connect client.I would like to do it in this way:
A user who belongs to a certain group should only be allowed to login by selecting the group(connection profile). Any other user who belongs to a different group shouldn't be allowed to login by selecting the same connection profile.As of now any user in AD can login using any connect by selecting the group and entering the right credentials.Basically i would like to know, how do i perform a LDAP-RADIUS group mapping in ASA.
Any help on this would be really grateful to me.
Thanks.
My requirement is to setup RADIUS authentication and authorization using Any connect client in ASA 6.2 (ASDM 8.0, 5200).
I have successfully setup the user authentication through anyconnect VPN client. This user resides in AD,and the validation of username,password and OTP(security code) happens in RADIUS server.(This RADIUS server is configured to use AD as user store).Here is how i have done it:
IN ASA,
1) Created a server group and added RADIUS as the server in it.Configured the RADIUS settings.
2) Created an IP pool.
3) Created a group policy.
4) Created an any connect connection profile by providing the AAA server, IP pool, group policy details.
As of now, when i launch any connect client and provide the username,password (here its a combination of password + OTP) and select the group(connection profile),authentication is successful and an IP from the pool gets assigned to the client. I can see the ACCESS GRANTED logs in the RADIUS Server.
But my question here is how do i perform the user authorization in ASA 5520 after a successful user authentication through any connect client.I would like to do it in this way:
A user who belongs to a certain group should only be allowed to login by selecting the group(connection profile). Any other user who belongs to a different group shouldn't be allowed to login by selecting the same connection profile.As of now any user in AD can login using any connect by selecting the group and entering the right credentials.Basically i would like to know, how do i perform a LDAP-RADIUS group mapping in ASA.
Any help on this would be really grateful to me.
Thanks.