Hey Dameon,

Thats not at all what customer wants...ok attached a screenshot of it in here. Actually what they would like is to have specific AD groups associated with specific authentication schemes and on gateway vpn auth tab, that does not even seems to be an option. I spoke to Tier 3 guy in dallas, but he does not seem to know if thats dosble and said would check with esc team. Screenshot attached. So how to associate groups with auth?? These are NOT local users, but AD ones.

Andy

Well, they would all be different groups on AD and no user would belong to 2 same groups, so its pretty shocking there would be no way on CP to do this...on Fortigate and Cisco is super easy.

Andy

What it achieves is that thats how they have it with Cisco and they dont wish to change it...they ONLY want certain groups of users say use radius auth and there are some groups where username/password is enough. When I spoke with TAC today, yes, we discussed the gateway auth option from screenshot I gave in my last response, but even there, there is no option anywhere to select specific group that can be tied to certain auth type. Last night, we did end up creating user template, which lets you add user group, which then can contain ldap group, that can be added to accessrole object...BUT, that still does not let us tie it to any type of auth on the gateway, very frustrating. 

Anyway, tac guy said will check with escalations and let us know tomorrow. We may try set up another ldap group and test with different ad branch. Weird thing is, even for radius, you log in with username and password, but then when radius part comes in, it never shows proper options on the vpn client...

Andy

Ok, I will explain...so you create user group, assign whatever AD users you want, associate auth method with that group, save config and thats it. Once rules are in place for vpn, users will be prompted to authenticate based on the method assigned...clear?

That only tells me how to configure it as an admin, not what an end user experiences when they try and log in.

When you define an LDAP AU, you can specify what authentication methods are allowed for all users under that AU.

I'm guessing you could create several AUs against the same LDAP servers with specific branches for each group you're interested in.
Each AU would specify different authentication schemes that could be used. 
Not quite sure what the end user experience would be here, though. 

I don't know for sure, but I suspect this is an RFE. 

Yea...funny enough, that option you showed does not do anything, sadly. Thats default setting and usually all those options are allowed anyway, so no need to change them. Really, what end users currently experience is they only have to choose auth method once on Cisco anyconnect (equal to CP vpn endpoint client) and thats it, no need to mess around after. Tac guy from Dallas said he will consult with escalation, because Im positive there is a way to do this on CP...EVERY major fw vendor has this ability and its so easy to do it.

The multiple authentication schemes dialog you showed earlier does make those authentication options available to the end user after you push policy.
However, there is no way to tie a specific authentication method to a user group.
If the ID is unique in LDAP and associated with that specific group, they'll have access regardless of how they authenticated.
If you want to provide different levels of access based on how they authenticate instead of or in addition to the LDAP group, pretty sure that is an RFE.

If thats the case, I find that really surprising, if not shocking. If you take Cisco asa, super easy. fortigate (same thing), even palo alto has this ability and its very straight forward. Though, I will say we did make progress today and I may ask the customer tomorrow to try create another user template that includes specific ldap group (that can be created to reference specific AD group) and then add it to accessrole group and we will test more. Even tac said that seems to be the best way...so lets keep our fingers crossed 🙂

That does sound promising, keep me posted.

You bet brother : ). In IT community, its important to share knowledge, regardless what vendor it is.

Andy

Of course 😉