VPN Authentication to w2k domain

Similar Messages

• WinAD manual authentication to two domains

  Hi,
  We have our windows 2008 domain (A) and a secure windows domain (B) which we have a one way forest trust with.  Their trust of us is listed as 'External, not transitive'.
  So
  A - Forest, Transitive -> B
  B - External, Not Trans -> A
  We are running web sphere on windows 2008 R2, BOXI 3.1 SP 5.
  We have set up WinAD manual authentication with our domain A using Kerberos.  Reading the documentation and threads here, it's obvious we cannot add domain B without creating a forest trust from the other side.  This will not happen for security and policy reasons.
  Should we be able to configure BOXI manual LDAP authentication to their AD and have it coexist with the WinAD auth?
  Thanks,
  Sam

  Yes that is possible and you can configure.
  It should work fine.
  -Raunak

• 802.1x using authentication from NT Domain Controller instead of Radius

  I would like to know if it's possible to configure 802.1x using authentication from NT Domain Controller, instead of using Radius or Tacacs.

  It is possible to use MS AD, generic LDAP, Novell NDS for authentication, it's fairly common.
  The issue is "How do get the device to talk to the authentication source ... (AD, DC, NDS, LDAP)?"
  The answer is RADIUS.
  You can configure RADIUS to pull authentication from a variety of source (depending on the RADIUS - many/most can use any of the LDAP-based systems).
  So, yes, certainly you can use the Microsoft AD, but you need RADIUS to connect the two systems (the 802.1x device and the AD server).
  If cost is the issue, try freeRADIUS (www.freeradius.org) - it's fully featured (can use LDAP, AD, NDS, Certificates, etc), it's free, and configuration is much easier than it looks ....
  Good Luck
  Scott

• Clients authenticating to wrong Domain Controllers

  In our domain we have 28 sites and each site have its own Domain Controllers and we have one data center where we have 3 DCs.
  Domain Controllers run DNS role as well and DNS replication is active directory integrated.
  For all clients local DC is configured  as primary DNS and DataCenter DCs configured as secondary DNS.
  Problem is, most of the times, client machines are not gettings authentication from local domain controller, most of the times authentication happnes from other location domain controller or data center DCs.
  I have done the below troubleshooting steps;
  DNS - verified in the DHCP and ensured that local domain controller (DNS) server configured as promary DNS server and data center DCs as secondary
  SRV Records- verified and looks fine
  Subnets - Verifed and found its configured according to the sites in AD
  I can confirm the information in SRV records and AD subnet information is accurate.
  Please help me resolving the issue
  Mahesh

  Problem is, most of the times, client machines are not gettings authentication from local domain controller, most of the times authentication happnes from other location domain controller or data center DCs.
  This is usually caused due to one of the following:
  AD Sites and subnets are not configured properly: DCs not moved to the correct sites, missing subnets, subnets linked to wrong sites .... Here, netlogon.log on each DC will help you to have more information about this: http://support.microsoft.com/kb/109626
  Security filtering: If traffic to local DCs is filtered, client computers will not able to query them and will try to query other DCs. You can use PortQryUI to make sure that all needed ports for authentication are opened: http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
  Wrong DNS records which may cause wrong DNS resolution - Here clients may be redirected to DCs you don't like them to be contacted
  For AD sites and subnets, make sure that:
  You created an AD site per physical location you have DCs in them
  You created all usued subnets (Be careful about subnetting and supernetting) and link to their correct sites - Each subnet will be linked to AD sites containing DCs you would like them to be contacted
  For Filtering, use PortQryUI for checks and you can use event logs for more information.
  For the DNS system, you can proceed like that to be sure that all DCs were registered correctly and that DNS resolution will be fine:
  Make sure that all DCs has one IP address in use and only one NIC card enabled (Other NICs should be disabled)
  Make sure that public DNS servers are set as forwarders and not in IP settings
  Choose a healthy DC / DNS server and make all DCs point to it as primary DNS server. You can make other DNS servers point to their private IP address as secondary one
  Make sure that needed ports for AD replication are opened in both direction: http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
  Once done, run ipconfig /registerdns and restart netlogon on each DC you have. Like that, all DCs will update their records on the chosen DNS server and the changes will be replicated to other DC / DNS servers using AD replication. Of couse,
  it will be better to remove manually all obsolete / unused DNS records.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   
  Microsoft Student Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator: Security
  Microsoft Certified Systems Engineer: Security
  Microsoft Certified Technology Specialist: Windows Server 2008 Active
  Directory, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Network
  Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Applications
  Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows 7, Configuring
  Microsoft
  Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft Certified IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• ACS shell profile to only allow VPN authentication from TACACS+

  I'm currently rebuilding all of my VPN profiles after it was found that we were using TACACS+ for authentication to the VPNs, that would also allow users to SSH all of the network infrastructure. The new profiles will be radius based and will take some time to get them to the users.
  In the meantime I'm looking to create a new shell profile for the VPN users that will only allow them to authenticate to the VPN and not gain access to the CLI of the infrastructure.
  Thanks

  Hi,
  i tested this with Cisco ACS 5.5 with TACACS for VPN tunnel it doesn't work.
  It gives you an error which is stated that service protocol used is for device administration.
  So it doesn't all VPN authentication to work. but for radius this works properly.
  Thanks & Regards,
  Nitesh

• VPN Concentrator authentication with multiple domains

  I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
  Thanks in advance for any help.

  To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller

• Vpn authentication problem

  I have 2 AD account in 2 domain, Singapore and China. Both dom are under 1 forest. Problem is when I used Cisco VPN to connect to Singapore firewall but used China AD account & password, authentication failed. But when I used Cisco VPN to connect to China firewall but used Singapore AD account & password, authentication works. Why ? Please help an thanks.

  Muhammad,
  I think you have an issue with your AD search order....try adding the domain OU prefix with a "\" then the username i.e:-
  domain\username
  HTH.

• Anyconnect SSL VPN Authentication Feilure

  Dear All,
  I have configured an Asa 5510 as SSL vpn gataway ver 8.2(4) Anyconnect Essential. The clients are authenticated via Radius and OTP password.
  All work well since yesterday. When I have did same configuration changes. My objective was has that the clients accept the self signed certificate issued by the Asa whitout give the warning about the private cert.
  So I have try to generaste a new certificate with FQDN equal to myasa.mydomain.com and also a CN=myasa
  Then I have change the provile XML file of my anyconnect in this way:
  <HostEntry>
              <HostName>myasa</HostName>
              <HostAddress>xxx.xxx.xxx.xxx</HostAddress>
          <PrimaryProtocol>SSL</PrimaryProtocol>       
  Then I installed the certificate on my Win7 Pc in the Trusted Root Certification Authority.
  The result of all my changes is that now the login fail! Someone could help me pls?
  webvpn_allocate_auth_struct: net_handle = DA0C3608
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = VPNSSL
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_login_resolve_tunnel_group: tgCookie = NULL
  webvpn_login_resolve_tunnel_group: tunnel group name from group list
  webvpn_login_resolve_tunnel_group: TG_BUFFER = VPNSSL
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
  webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  webvpn_auth.c:http_webvpn_pre_authentication[2321]
  WebVPN: calling AAA with ewsContext (-636397680) and nh (-636733944)!
  webvpn_add_auth_handle: auth_handle = 95
  WebVPN: started user authentication...
  webvpn_auth.c:webvpn_aaa_callback[5163]
  WebVPN: AAA status = (ACCEPT)
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name = VPNSSL
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 1
  webvpn_portal.c:webvpn_login_aaa_resuming[3093]
  webvpn_auth.c:http_webvpn_post_authentication[1485]
  WebVPN: user: ([email protected]) authenticated.
  webvpn_auth.c:http_webvpn_auth_accept[2939]
  WARNING: CSD is disabled by AnyConnect Essentials license.
  webvpn_session.c:http_webvpn_create_session[184]
  webvpn_session.c:http_webvpn_find_session[159]
  WebVPN session created!
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_destroy_session[1386]
  webvpn_remove_auth_handle: auth_handle = 95
  WARNING: CSD is disabled by AnyConnect Essentials license.
  WARNING: CSD is disabled by AnyConnect Essentials license.
  webvpn_portal.c:webvpn_determine_primary_username[5689]
  webvpn_portal.c:webvpn_determine_secondary_username[5758]
  webvpn_portal.c:ewaFormServe_webvpn_login[1974]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  APP_BUFFER: <option value="VPNSSL" noaaa="0" >dntsbewvpn</option>
  webvpn_free_auth_struct: net_handle = DA0C3608
  webvpn_allocate_auth_struct: net_handle = DA0C3608
  webvpn_free_auth_struct: net_handle = DA0C3608

  Dear All,
  I have found why the authentication was stop to work.
  I have lost in the config the command:
  svc image disk0:/anyconnect-win-xxxxxk9.pkg 1
  Now it works.
  Best regards,
  Igor.

• Remote Access VPN authentication through RADIUS

  Hi,
  I have configured remote access VPN (IPsec) in my Cisco ASA . Before there was only single username & password to for VPN client. Now I am planning to give access through RADIUS server. I have configured RADIUS server in WIN 2003 server.
  Server configuration:
  1) Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client with ip address of CISCO ASA (inside interface).
  2) Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
  3) check Grant Remote Access Permissions is selected.Click Edit Profile and check these settings:On the Authentication tab, check Unencrypted authentication (PAP, SPAP), MS-CHAP,and MS-CHAP-v2.On the Encryption tab, ensure that the option for No Encryption is selected.Click OK when you are finished.
  4.Select Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and select New Users to add a user into the local computer account.Add a user and check this profile information:On the General tab, ensure that the option for Password Never Expired is selected instead ofthe option for User Must Change Password.
  On the Dial-in tab, select the option for Allow access
  ASA configuration:
  aaa-server vpn protocol radius
  aaa-server vpn host 10.155.20.25 (RADIUS server IP )
  key cisco321
  tunnel-group vpnacc type ipsec-ra
  tunnel-group vpnacc general-attributes
  authentication-server-group vpn
  but it is not working. Please guide to resolve this issue.
  Regards,
  som

  Also, take a look at your logs on the windows server, and try debugging the asa. Try running wireshark or network monitor on the windows server to see if the requests are coming in. You should be able to figure out pretty quickly what is going on by debugging aaa on the asa and/or checking the logs on the server. Make sure the service is running on the windows box. Make sure that something stupid like windows firewall isnt blocking the connection. You can turn on debugging by typing "debug aaa" and type "logging console debugging" and "term mon". You can test aaa by typing "test aaa-server authentication vpn host x.x.x.x username someusername password somepassword"
  Hopefully this will lead you in the right direction. Oh, one more thing, when you are done, don't forget to turn off the debug by typing "undebug all". Another word of warning, running debugs on a production firewall should be done at your own risk, it is very easy to overwhelm a device to the point it stops responding by running debugs.

• How can I set up SSL login authentication on one domain for multiple domains

  Our site currently runs in 22 countries with 22 different
  country domains:
  www.mysite.com
  www.mysite.co.uk
  www.mysite.fr
  etc
  We want to use SSL on our login pages but realise that the
  cost of certification for every domain is expensive. One solution
  would be to channel all login activity to a single domain, eg:
  www.mysite.com/login.cfm?site=fr which would then redirect to
  www.mysite.fr – this is how Google do it
  But, currently we are using encrypted cookies for login
  authentication so we would have the problem of having to transfer
  the cookie info across domains securely. Is there any way of going
  about this?
  Any other suggestions would be great, too. We do plan to move
  to session management for logins but this is a longer term project
  so we are hoping to sort out the SSL prior to that.

  Can you not pass the values you need as URL parameters?
  Encrypt them befor you send them and then decrypt them on the new
  domain. Then add them to whatever place you need (cookie, session,
  etc.)?

• How to bypass from OAM authentication for certain domain

  Hi All,
  We are trying to unprotect certain domain from OAM domain but coudn't. Please help us fix this issue.
  Environement details:
  We have two nodes, one node for OAM_OSSO and another one for OSSO_Portal application.
  OAM server details:
  In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and OAM. Integrated OAM_OSSO using [ID 979827.1]
  Portal server details:
  In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and portal weblogic server(portal application) is running. portal weblogic is registered with thier own portal OSSO.
  In OAM, We protected following portal url's
  /sso/auth      
  /pls/orasso/orasso.wwsso_app_admin.ls_login
  portal _OAM integration is working fine.
  Now portal team come with new requirement for customer, application also running in their same portal weblogic server and that portal application domain is alreday registered with Portal OSSO and Portal OSSO page is protected by OAM. the requirement is bypass OAM authentication, and need to authentication against their own portal OSSO+OID.
  Please tell me how to bypass OAM authentication from this scenerio.
  -Sarath

  Hi MD,
  Thanks for your update.
  We are using oracle 10g. Please tell me how Anonymous scheme will help us to get out from this issue.
  Portal Weblogic server registered with portal IDM server and portal IDM server OSSO protected by IDM OAM. So if i tried any of the application which deployed under portal weblogic server will get protected by OAM right. Please correct me if iam wrong.
  In this scenerio we have two OSSO, one in OAM node and another one in portal server. Now portal team come up with new webserver domain for customer, in customer scenerio we want authenticate againt portal OSSO with their own OID rather than using OAM authentication. Here my concern is, customer or employee the portal weblogic server and portal OSSO are common for both user but only difference in webserver domain.
  So if i tried to access customer application, then customer webserver redirect to portal weblogic for open the requested page(note if webgate not in picture). portal weblogic server is register with portal OSSO and its redirect to portal OSSO for authentication but Portal OSSO server integrated with OAM using webgate.
  1. When tried to access customer application ,Portal OSSO server tried to show own sso login page for authentication but Portal OSSO server already integrated with OAM. so portal OSSO server requested to OAM to access portal sso login page not the request of customer page login.
  2. here,portal OSSO login page protected and OAM serve login page for OAM authentication against OAM OID. If i specify anonymous scheme for customer domain then how will work here, portal OSSO requested to OAM to access portal OSSO login page not the customer page or employee page...
  Here OAM authentication will come into picture for all scenario but need bypass for customer login.
  Requirement is when customer trying to access then authentication need to happen in portal OSSO not in OAM. Hope you understand the architecture.Please suggest how.
  -Sarath
  Edited by: 898990 on May 11, 2012 8:22 PM
  Edited by: 898990 on May 11, 2012 8:25 PM

• Authentication using multiple domains

  We've got a rather complicated configuration scenario here and I need to understand what would need to happen to put this in place, or if it can even be accomplished at all.
  We are on Business Objects XIR2 SP3 in a Windows 2003 environment. We are currently using Trusted Authentication with a 3rd party web security component (ISAPI filter) running on our IIS box, however our Web Intelligence implementation is actually done in Tomcat, which is connected to the IIS box simply using the IIS to Tomcat connector (also an ISAPI filter). We currently have the LDAP plugin configured to hit an ADAM directory server, however we are rewriting our web security solution with an AD back end. The AD back end may possibly have two different domains involved, one for internal users and one for external users. I would need to be able to authenticate users from both domains, and have all the other pieces and parts continue to work as far as authentication goes (ADAM via LDAP, trusted authentication for the thin client interface using the WEB_SESSION approach, and both AD directories with usres in each all able to authenticate to the tool set).
  First, can you tell me if it's even possible to accomplish this? And second, if it is, what kind of trust relationship does there need to be, if any, between the internal and external users AD domains? I ask because I see only one place to set up an SPN, and there are specific application server services that have to be configured to run as that given service account, so I'm assuming there has to be some sort of trust relationship there since our application servers are all installed in one of those domains.
  Thanks,
  V

  These questions keep getting more complicated
  Your domain situation depends on 2 things. If internal and external are 2 domains in the same AD forest(trust is automatic this way) then it should work fine (provided you aren't firewalling off the users as internal/external could imply).
  If they are not in the same forest then you would need a 2-way transitive trust, no firewalling, and XI 3.1 in order to map groups/users from both domains into 1 plugin (this would require the AD plugin).
  Another option might be to use the LDAP plugin for 1 forest and AD plugin for the other but that would kill your existing users. This is your only option in XIR2 if you have 2 forests.
  Regards,
  Tim

• Ldap server authentication for EAI domain

  Hi everybody,
  I have configured a new realm fot the security of the created EAI Domain and
  made it default. In this realm, the authentication provider is the iPlanet LDAP
  Server.
  Now the booting is fine but then when I am starting the Weblogic Studio, it is
  not getting authenticated and I keep getting the error :
  <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security> ERROR: No
  realm found.>
  <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security> ERROR: Ini
  tialization of WLI Authentication Service failed with exception java.lang.Runtim
  eException: ERROR: No realm found..>
  The error page obtained at studio is what is given as attachment.
  Anybody having any info regarding the same - pl. do pass on.
  Thanks and regards,
  Ritwik
  [wli-error.doc]

  Hello Ritwik,
  it should for sure, but with this release WLI depends on the
  compatibility realm.
  Christian Plenagl
  Developer Relations Engineer
  BEA Support
  "Ritwik" <[email protected]> wrote:
  >
  Conceptually if I create respective groups (similar to the groups and
  users of
  the compatability realm) in the ldap server and do the authentication
  from there
  - it should work - shouldn't it???
  Any pointer !!!
  Regds,
  Ritwik
  "Christian Plenagl" <[email protected]> wrote:
  Hi Ritwik,
  you can read in the WLI documentation, that WLI7 currently supportsthe
  compatibility
  realm only.
  Please have a look at:
  http://e-docs.bea.com/wli/docs70/deploy/secure.htm#1365621
  Christian Plenagl
  Developer Relations Engineer
  BEA Support
  "Ritwik" <[email protected]> wrote:
  Hi everybody,
  I have configured a new realm fot the security of the created EAI
  Domain
  and
  made it default. In this realm, the authentication provider is theiPlanet
  LDAP
  Server.
  Now the booting is fine but then when I am starting the Weblogic Studio,
  it is
  not getting authenticated and I keep getting the error :
  <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security>
  ERROR: No
  realm found.>
  <Nov 26, 2002 10:00:27 AM IST> <Error> <B2B> <000000> <<WLI-Security>
  ERROR: Ini
  tialization of WLI Authentication Service failed with exception java.lang.Runtim
  eException: ERROR: No realm found..>
  The error page obtained at studio is what is given as attachment.
  Anybody having any info regarding the same - pl. do pass on.
  Thanks and regards,
  Ritwik

• Anyconnect VPN-Authentication multiple profiles via ACS

  Hi,
  I'm currently facing the issue, that I need to migrate a customer VPN-structure from VPN-client to the new Anyconnect.
  There is an ASA5515 and they have ACS with local users and AD-Integration.
  The problem: The old system used different profiles with PSK, so every external partner who had a VPN connection got it's own profile, which was secured by the IKEv1 PSK. The credentials for externals are saved locally on ACS. Also there is a profile for the normal employees, which authenticate via AD or RSA. The guys who implemented this did it the easy way, means when a user connects, the whole user-table is checked (AD, local, RSA). So if an external would have the .pcf from an internal user, it would be possible for him to connect to internal resources. There was no profile-to-usergroup binding.
  I should now implement a new ASA with Anyconnect and also keep up the different profiles. But in this case the problem is - there is no PSK any more. So if a smart guy changes the group in his XML-profile to e.g. "Internal", it would authenticate and grant access to all resources, since the internal pool isn't restricted by ACL's, but the externals are. 
  I'm looking for a guide, how to set up different policies on the ACS, which look up the user only in the one group, depending on the profile he connected. As far as I understand, I must somehow define already on the FW which group or policy it should look up. How can I achieve this? 
  What do I need e.g. for 10 different profiles?
  - 10  groups on ACS?
  - 1 Access-Policy? (Network Access) -> with 10 different Authorization Policy rules? 
  - Anything else?
  Where do I define the policy to use in Anyconnect?
  Thanks in advance!
  BR

  I've done a similar deployment where all authentication/authorization and accounting was pointed from ASA to ACS.
  There are multiple layers to your question. 
  First of all, you have ACS, hopefully 5.x which gives you a nice policy driven authentication and authorization schema. 
  1st layer - setup group-alias and group-urls for specific users on ASA. 
  2nd layer - on ACS decides where those connection should be authenticated/authorized against (go to AD, RSA, local DB). ASA passess tunnel group name in authentication calls to ACS. 
  3rd layer - group-lock feature ensures that user can only have access to resources if they are in a specific group. 

• Android, Ipad authentication under windows domain environment

  I’m really confused about the best practice to set up these devices in a 802.1x and Windows Domain network using ISE.
  I had seen the Ipad download the ISE certificate the very first time the device is connected to the SSID. In Android device (Galaxy phone) I don’t see the device download certificate.
  Testing with the Android device I was able to install the root CA certificate (a not easy procedure), then when the SSID is configured in the device I have the option to choice the root CA certificate.
  Now if I don’t include the certificate in the SSID configuration, the device is able to connect with an Identity and Password only. If I include the certificate in the SSID configuration, the device ask for the certificate storage password if the option for use secure credentials is not enabled before.
  How can I validate through the ISE the android device is using the certificate? Is it possible to set a rule in the ISE denying access if the device does not validate the certificate? I think EAP necesarity use certificates, but the Android device does not show anything.
  I had read about provisioning and profiling the Android devices. I think the Network Setup Assistant available through Google Play is an easy procedure to install the root CA certificate. Am I Right?
  The customer said it appears the certificate is being used to encrypt the username and password not for do the authentication itself. Reading about EAP functionality I believe it is right, I understand the EAP-MSCHAP actually creates a tunnel to passthrough the username and password. Right?
  As the Ipad and Android devices are not in the windows domain, what should be expected when the password is expired? Customer Policy indicates users must change domain passwords every four months. In a Windows PC users receive warnings some days before the expiration but it appears nothing happen in non-domain devices. A co-worker told me the easy way is that when this happen the user should remove the SSID in the device and create it again. The customer does not like this behavior, so what should be a best practice work around?
  I hope you can help me to clarify my doubts.
  Regards.
  Daniel Escalante

  Client Provisioning for Android you can refer thease guides:
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html#wp1024291
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html#anc10