Yeah, I basically use the IAS rule to define which group they belong to in Active Directory and then pass back the RADIUS value to choose the corresponding group I created in ASA. I had 3 different groups and it worked great. I just make sure that the higher level groups are higher in the rule list. I am replacing all this with RSA keyfob auth now so it is all changing. But during the migration between Token and Password I just use the drop down group box to let the user choose which kind of auth they are on.
I use the same systems with my Cisco Wireless (LWAPP). I use a GPO to choose which WLANs the user connects to and IAS (PEAP) to correspond to their group. If we disable a user account in AD we disable it for Wireless. The plan is to do dot1x for port-auth and make everything tie to one account. This also makes group based ACL's/WLANS work per Dept. .nick [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Looney Sent: Tuesday, September 04, 2007 6:20 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ACS and ASA VPN user authentication > I have done this with Microsoft IAS and it works like a dream. I > use it to restrict VPN access to users that are members of specific > Domain groups. I can also stack the rules to allow for a group per > group and ACL's for Departments...etc. Yeah, I've done that on many occasions with routers as well - does this work with different VPN groups that are defined on the ASA? B. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/