Hi,
You want to look at DAP. You're right about the first matching issue.
Only downside with DAP is that all your configuration is done via
ASDM, you'll need 8.x, and backup is a little more painful.
Sent from handheld.
On Jul 1, 2009, at 3:56 PM, "robclav_at_gmail.com" <robclav_at_gmail.com>
wrote:
> Hi folks,
> I wish to conf a detailed webvpn group-policy authentication.
> Several group-policies are defined at asa offering some published
> applications under them.
> Depending who you are, then you can access to the group-policy or not.
>
> There are the following "connections profiles" when you reach the
> outside asa interface:
> -webvpn mail services
> -webvpn intranet and private web services.
> -webvpn crm, SAP and reports servers.
> -webvpn file sharing
>
> Microsoft IAS services is working as a aaa server against users at AD.
> When I configured authentication passed or rejected it works fine.
> When I configured authentication using a ias remote acces policy
> mapping the AD user group and a class attribute telling to the asa
> which "connection profile" is validated it works.
>
> The problem arrives because the user can belongs to more than one AD
> group but the first "directive" it match then it exit(as an acl
> behaviour), so one user just can access to one "connection profile".
> So there is any way in addition of create a mixed "bookmark list"
> for a bigger group-policy and create an AD "super" group adding both
> group and allow using the radius attribute called class to match the
> mixed group-policy?
>
> The problem of this solution is that you need to create as much
> "supergroup" and mixed group-policy as users rol rights we need.
>
> Thanks a lot,
> Robclav
> BlackBerry de movistar, allm donde estis esta tu oficin@
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 01 2009 - 16:00:41 ART
This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:21 ART