Re: VPN Restriction in ASA OS 8.22

Yes. You would bind via LDAP to your DC. Then you can match on LDAP
attributes in AD to land users into specific groups. If you use time-
ranges, users who do not map properly can map to the default group
with no access hours.

Sent from handheld.

On Mar 20, 2010, at 1:39 AM, "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
wrote:

> My Topology is :
>
> ASA -----to---- ACS ----to----- Windows-DomainControler.
>
> Can I do that with DC the same way you say it can be done with LDAP ?
>
> Regards
>
> ----- Original Message ----- From: "Ryan West" <rwest_at_zyedge.com>
> To: "Kanishka Acharya (kaachary)" <kaachary_at_cisco.com>; "Farrukh
> Haroon" <farrukhharoon_at_gmail.com>; "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe
> >
> Cc: <security_at_groupstudy.com>; "Cisco certification" <ccielab_at_groupstudy.com
> >
> Sent: Friday, March 19, 2010 7:54 PM
> Subject: RE: VPN Restriction in ASA OS 8.22
>
>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>>> Behalf Of
>>> Kanishka Acharya (kaachary)
>>> Sent: Friday, March 19, 2010 8:00 PM
>>> To: Farrukh Haroon; Edouard Zorrilla
>>> Cc: security_at_groupstudy.com; Cisco certification
>>> Subject: RE: VPN Restriction in ASA OS 8.22
>>>
>>> Actually on ASA, Radius Class [25] is no longer used for group-
>>> lock, but to
>>> bind a group-policy to the user. You need to use cvpn 3000/PIX/ASA
>>> VSA 85
>>> (Tunnel-Group-Lock) for this purpose. Alternatively, you can use the
>>> Group-lock attribute in group-policy for this.
>>>
>>
>> Wouldn't an LDAP authorization do the same?
>>
>> -ryan
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
 

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Mar 20 2010 - 13:47:04 ART