I want to start off saying I'm not a network guy, I have plans to get there, but not there yet.
Currently, only those belonging to AD group Remote Access can VPN in, so that's good. But they remote in and can hit all VLAN's/subnets.
What I'm looking to accomplish:
User connects using AnyConnect client. They select the group they belong to, punch in credentials and they're off and running. On the back-end, they're only getting access to the VLAN/subnet's they need to do their job.
I also want all users authenticating against AD, so we can centrally manage accounts. Each AnyConnect group already has an AD group with appropriate users in it.
Example:
Hardware: Cisco ASA 5510 (about to replaced with 5516 X)
Group: Regular Users
Subnet Access: Server/Printer subnet, EMR subnet, VoIP subnet
AD Group: Remote Access
Group: VoIP Support Contractors
Subnet Access: VoIP subnet
AD Group: PBX Support
Group: HVAC Support
Subnet Access: HVAC subnet
AD Group: HVAC Support
Group: IT Sysadmins
Subnet Access: ALL subnets
AD Group: IT Remote
I post here because I asked my MSP's network engineer to do this, was told absolutely not a problem. He's now spent several months trying to figure out how to do it.
My question is what would be the best way to do this? Or is what I'm asking for extremely convoluted and hard to setup?
No comments:
Post a Comment