Hi All,
I am trying to create multiple groups using RSA to lock down users to specific access. I cannot use LDAP/AD here. With RSA if I create a RSA profile and assign it to a client then it will only specify one group. How can I make it so I can attach multiple RSA profiles to a RADIUS client? I want to accomplish a anyconnect setup where group a only has access to x, group b only has access to y and group c only has access to k. I found this information below but again locks down to only one group https://supportforums.cisco.com/t5/aaa-identity-and-nac/asa-anyconnect-radius-group-lock-with-rsa-authentication-manager/td-p/2496136 1. Create RADIUS profile - 1. RADIUS -> RADIUS Profiles -> Add New 1. Profile Name: group1 2. Return List Attributes: 1. Attribute: Class 2. Value - group-GP1 3. Add -> Save 3. Profile Name: NoVPN 4. Return List Attributes: 1. Attribute: Class 2. Value - NoVPN 3. Add -> Save
- Create RADIUS Client -
- RADIUS -> RADIUS Clients -> Add New
- RADIUS Client tab;
- Client Name: ciscoasa
- IP Address: Cisco ASA's IP address
- Make/Model: Standard Radius
- Shared Secret - your designated shared secret
- RSA Agent tab;
-
RADIUS profile: NOVPN
-
Associate user account to RADIUS profile;
-
Identity -> Users -> Manage Existing
-
Search for user -> click on user -> Authentication Settings;
-
User RADIUS Profile: group-GP1
Thanks
No comments:
Post a Comment