topic Using Active Directory users to manage Cisco ASA 5510 in Network Access Control

Using Active Directory users to manage Cisco ASA 5510

gamercoar — Mon, 11 Mar 2019 02:55:32 GMT

Hi,

Sorry if I'm not posting this in the right area, just let me know where it should go and I'll repost it there.

I know that our VPN users currently use Active Directory to authenticate their VPN sessions, so now I'm wondering if there is an easy way to configure my company's Cisco ASA 5510 to use either a Windows Server 2008 R2 Active Directory group (preferred method) or specific Active Directory users (less preferred) and authenticate them for management access (privilege level 15) using their Active Directory credentials. I do not want this to change the IP range used for ASDM/HTTPS/Telnet/SSH access (currently all local networks, no VPN), as those are settings that my company does not want changed.

Thanks in advance.

Using Active Directory users to manage Cisco ASA 5510

nspasov — Sun, 30 Dec 2012 03:32:29 GMT

Hello Chris-

For this you will need either a Radius or a TACACS+ server. There are lot of open source Radius servers out there (Open Radius) and if you have Windows Server you can use their built-in NPS server as well. Otherwise you can go with something like Cisco' ISE or ACS which both include Radius. In addition, ACS includes TACACS+ which provides you the most granularity when it comes to authorizing users.

Hope this helps!

Thank you for rating!

Using Active Directory users to manage Cisco ASA 5510

gamercoar — Sun, 30 Dec 2012 04:24:05 GMT

We already have a RADIUS server in place, it's how we are authenticating our VPN users. What I really need is the how to configure the ASDM/HTTPS/Telnet/SSH management access to the ASA that authenticates the user against Active Directory instead of either:

a) a preshared password for one account, or

b) setting up individual local user accounts on the ASA for the IT staff

Using Active Directory users to manage Cisco ASA 5510

nspasov — Sun, 30 Dec 2012 04:34:01 GMT

OK what type of Radius server are you using and do you need help with the Radius server configuration or the ASA?

Using Active Directory users to manage Cisco ASA 5510

gamercoar — Sun, 30 Dec 2012 05:24:24 GMT

I only started at my company a few months back, so I don't know what kind of RADIUS server we have, but I can see from our VPN configuration that we have one and that we use it to authenticate our VPN users. I *think* all I need is help configuring the ASA to use it for management access for either an AD group or specified AD users, though if something needs to be specially configured on the RADIUS server, then I'll have to figure that out elsewhere.

Using Active Directory users to manage Cisco ASA 5510

nspasov — Mon, 31 Dec 2012 17:19:01 GMT

This is where we need to start. You need to find out what type, make and model of Radius server you have. From there we can try to figure out what and how the setup should look. The good news is that since it is already integrated for your VPN connection then it should not be too much work to get the rest going.