I've successfully created a AnyConnect VPN configuration on my Cisco ASA and it authenticates to RSA secureID to use the token code. However what I'd like to do now is an AD lookup on the username and based on what group they are in, assign them the correct group-policy. I know this isn't possible using ACS. I'm not sure if RSA has this capabilities. Perhaps the ASA can do this using identity firewall?
Cisco ASA AnyConnect – Authenticate using RSA token, Assign policy based on AD Group
cisco-anyconnectcisco-asa
Best Answer
My understanding is that when using the SDI protocol for RSA integration, you cannot pass group/class info. However, if you reach the RSA server using RADIUS, then the RSA server can be configured to return a RADIUS Class attribute of the format "OU=group-policy-name;" which is then used to match a group-policy name in the ASA config. I've done it this way with another customer. For example:
Then, you would have a group-policy that fails closed (I usually call it "NOACCESS") that sets "vpn-simultaneous-logins" to 0 which drops the connection, like so:
You would then have one or more group-policies that describe your VPN users and override the "vpn-simultaneous-logins" value with a non-zero value (I usually set it back to the default value of 3), like this:
Finally, your tunnel-group would be set to use the RSA server (via RADIUS) for the authentication server, and then the default group policy is set to the "NOACCESS" group to force the group to fail closed if the RADIUS Class value isn't returned:
The important notes with this solution are:
The behavior is that the user's session will inherit the default group-policy value of "NOACCESS" and be assigned the attribute of "vpn-simultaneous-logins 0" if no matching RADIUS Class attribute is returned. If a Class attribute which matches the name of a group-policy in the ASA is returned, the user session is assigned that group-policy instead, which then overrides the inherited default "vpn-simultaneous-logins" value and allows them to continue their login.
I've used this RADIUS configuration regularly for years, and a customer I worked with discovered the RSA requirement that RADIUS be used to pass the Class attribute for group assignment. Unfortunately I do not know the RSA setup to do the group mapping or return the attributes, but this thread and this thread may prove helpful there.