Hi folks,
I wish to conf a detailed webvpn group-policy authentication.
Several group-policies are defined at asa offering some published applications under them.
Depending who you are, then you can access to the group-policy or not.
There are the following "connections profiles" when you reach the outside asa interface:
-webvpn mail services
-webvpn intranet and private web services.
-webvpn crm, SAP and reports servers.
-webvpn file sharing
Microsoft IAS services is working as a aaa server against users at AD.
When I configured authentication passed or rejected it works fine.
When I configured authentication using a ias remote acces policy mapping the AD user group and a class attribute telling to the asa which "connection profile" is validated it works.
The problem arrives because the user can belongs to more than one AD group but the first "directive" it match then it exit(as an acl behaviour), so one user just can access to one "connection profile".
So there is any way in addition of create a mixed "bookmark list" for a bigger group-policy and create an AD "super" group adding both group and allow using the radius attribute called class to match the mixed group-policy?
The problem of this solution is that you need to create as much "supergroup" and mixed group-policy as users rol rights we need.
Thanks a lot,
Robclav
BlackBerry de movistar, allm donde estis esta tu oficin@
Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 01 2009 - 19:53:36 ART
This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:21 ART