Let’s say you have Cisco ACS up and running. It is already successfully talking to your Active Directory installation. You also already have an existing VPN Client remote configuration where the group policy name is “GP_VPN_ITNET” and the tunnel group name is “TG_VPN_ITNET”
Now you have an active directory group called “RG_VPN_ITNET” and want to ensure that the only vpn remote access profile that group can use is the existing remote configuration.
- Log into the Cisco ACS
- Create a New Network Access Authorization Profile under Policy Elements-> Authorization and Permissions-> Network Access->Authorization Profiles
- Create a new Profile
- Name the set to match the desired AD VPN Group Name
- Example Name: ‘RG_VPN_ITNET”
- On the RADIUS Attributes tab, add the following
- Dictionary Type: RADIUS-IETF
- RADIUS Attribute: 25 – Class
- Fill in the group-policy name from the asa tunnel-group in the bottom field box.
- Example: “OU=GP_VPN_ITNET;”
- Conditions: AD1:ExternalGroups: use the desired AD VPN group. Example :”domain.com//Global Groups/Resource groups/VPN/RG_VPN_ITNET” specify the Authorization Profile “RG_VPN_ITNET”
group-policy GP_VPN_ITNET attributes
group-lock value TG_VPN_ITNET
- Test the VPN client connects successfully for a member of the Active Directory group.