https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874857#M408292 <HTML><HEAD></HEAD><BODY><P>I've had it working just doesn't go by group. I'll keep digging thanks for the reply.</P></BODY></HTML> Wed, 21 Nov 2007 22:18:33 GMT gates1150 2007-11-21T22:18:33Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874851#M408286 <P>I'm setting up a new ASA with VPN access and am trying to decide which authentication method to use LDAP or RADIUS. I was wondering if there were any pros or cons to either way. I'm trying to control access by Active Directory Group.</P> Sun, 10 Mar 2019 22:30:01 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874851#M408286 gates1150 2019-03-10T22:30:01Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874852#M408287 <HTML><HEAD></HEAD><BODY><P>Not sure about any advantages/disadvantages to either but since you are authenticating against AD it would be simple for you to set up IAS on your domain controller. </P></BODY></HTML> Tue, 06 Nov 2007 18:42:29 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874852#M408287 acomiskey 2007-11-06T18:42:29Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874853#M408288 <HTML><HEAD></HEAD><BODY><P>From my own opinion, the advantage of using AD as the authentication server is that, passwords can expire after a number of days. Well, it still really depends on the password policy of your domain. That is one of the disadvantage of using Cisco ACS, the password won't expire after few days or months.</P><P></P><P>Regards,</P><P>John</P></BODY></HTML> Wed, 07 Nov 2007 14:43:24 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874853#M408288 jpl861 2007-11-07T14:43:24Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874854#M408289 <HTML><HEAD></HEAD><BODY><P>I am working with AD and testing out both the IAS RADIUS and the LDAP for SSL VPN, and there are a few differences.</P><P>SSL VPN in clientless mode allows for password management, so the end-user can update their pw from the login page.</P><P>LDAP allows you to notify the user X number of days before the pw expires and allow them to change it (# of days is configurable; secure LDAP is required, but not hard to set up).</P><P>RADIUS, again per the documentation, can only notify the user, and allow them to change the password, when it expires.</P><P></P><P>I am also trying to configure framed-ip-addresses, so that as users log in via the SSL VPN Client (AnyConnect), they will always get the same IP address. I can get the framed IP to work with RADIUS, but not LDAP.</P><P></P><P>LDAP also works very nicely with DAP in the SSL VPN, too, which allows you to add functionality to the profile assigned to a user a login based on AD group membership.</P><P></P><P>These are a few of the differences that I have found, so far.</P></BODY></HTML> Wed, 21 Nov 2007 21:54:34 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874854#M408289 lambiase 2007-11-21T21:54:34Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874855#M408290 <HTML><HEAD></HEAD><BODY><P>Can you control access by group with LDAP? I was able to get it to work but haven't gotten it working by AD group. </P></BODY></HTML> Wed, 21 Nov 2007 21:59:25 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874855#M408290 gates1150 2007-11-21T21:59:25Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874856#M408291 <HTML><HEAD></HEAD><BODY><P>This seems to be doable, but I have not done it here (I am running SSL VPN and using DAP, which certainly works with AD groups).</P><P></P><P>It looks like you configure an LDAP attribute map to the IETF-Radius-Class, (and then map your AD groups to ASA groups if the group names do not already match). See page 13-15 and Appendix E in the CLI Config Guide.</P></BODY></HTML> Wed, 21 Nov 2007 22:17:09 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874856#M408291 lambiase 2007-11-21T22:17:09Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874857#M408292 <HTML><HEAD></HEAD><BODY><P>I've had it working just doesn't go by group. I'll keep digging thanks for the reply.</P></BODY></HTML> Wed, 21 Nov 2007 22:18:33 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874857#M408292 gates1150 2007-11-21T22:18:33Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874858#M408293 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>I am in the same situation as you. I am currently using IAS on my Windows 2003 DC to authenticate remote users (IPSec VPN tunnel)via the Radius protocol. I was able to sucessfully authenticate users against Active Directory.</P><P></P><P>Now, the real issue is that we have a lot of remote users and they need to be able to change their Domain Passwords if they expire, or get notifications when their passwords are about to expire.</P><P></P><P>I was confused on what you posted: " RADIUS, again per the documentation, can only notify the user, and allow them to change the password, when it expires."</P><P></P><P>When using the RADIUS protocol over an IPSec VPN tunnel, are remote users able to change their passwords? Or only get notified when the password expires ? Thanks in advance.</P></BODY></HTML> Mon, 07 Jan 2008 18:03:27 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874858#M408293 najeebsyed2 2008-01-07T18:03:27Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874859#M408294 <HTML><HEAD></HEAD><BODY><P>Same here.</P><P></P><P>Am using IAS and PIX and need my users to be able to be notified and allowed to change there password in AD.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 15 Jan 2008 14:52:07 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874859#M408294 boschrexroth 2008-01-15T14:52:07Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874860#M408295 <HTML><HEAD></HEAD><BODY><P>I don't think you can do it with a PIX. You have to be on an ASA.</P></BODY></HTML> Tue, 15 Jan 2008 15:00:37 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874860#M408295 gates1150 2008-01-15T15:00:37Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874861#M408296 <HTML><HEAD></HEAD><BODY><P>Check the documentation for the version of PIX you are running. I don't believe what you are trying to do is possible with a PIX.</P></BODY></HTML> Tue, 15 Jan 2008 15:06:42 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874861#M408296 najeebsyed2 2008-01-15T15:06:42Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874862#M408297 <HTML><HEAD></HEAD><BODY><P>If you look in the ASDM under your connection profile for your Remote Access users. Look under Advanced there's an option "Enable notification upon password expiration to allow user to change password". </P><P></P><P>That's the only place I can see to try and make it work. </P></BODY></HTML> Tue, 15 Jan 2008 15:08:13 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874862#M408297 gates1150 2008-01-15T15:08:13Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874863#M408298 <HTML><HEAD></HEAD><BODY><P>I have read posts that say that using RADIUS it is NOT possible to use the password managment feature. Is that true?</P></BODY></HTML> Tue, 15 Jan 2008 15:11:57 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874863#M408298 najeebsyed2 2008-01-15T15:11:57Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874864#M408299 <HTML><HEAD></HEAD><BODY><P>I don't know I haven't tried to enable the feature. Are you running the latest ASA version?</P></BODY></HTML> Tue, 15 Jan 2008 15:14:42 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874864#M408299 gates1150 2008-01-15T15:14:42Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874865#M408300 <HTML><HEAD></HEAD><BODY><P>My ASA is running 7.2(2). If you run across any documentation regarding password managment via Radius, please share. I've come across LDAP Authorization that allows this, but not RADIUS. Thanks.</P></BODY></HTML> Tue, 15 Jan 2008 15:23:51 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874865#M408300 najeebsyed2 2008-01-15T15:23:51Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874866#M408301 <HTML><HEAD></HEAD><BODY><P>I'm on 8.02. I'll pass it along if I find anything.</P></BODY></HTML> Tue, 15 Jan 2008 15:24:42 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874866#M408301 gates1150 2008-01-15T15:24:42Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874867#M408302 <HTML><HEAD></HEAD><BODY><P>Thanks a bunch.</P></BODY></HTML> Tue, 15 Jan 2008 15:33:10 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874867#M408302 najeebsyed2 2008-01-15T15:33:10Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874868#M408303 <HTML><HEAD></HEAD><BODY><P>Password-management will work with Radius and LDAP. When using radius you will not be notified a certain number of days before password expiration, but you will be notified when it expires and will be able to change it. </P></BODY></HTML> Tue, 15 Jan 2008 16:09:17 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874868#M408303 acomiskey 2008-01-15T16:09:17Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874869#M408304 <HTML><HEAD></HEAD><BODY><P></P><P>When my client connects to our PIX then he is prompted for his AD username and password. If the password has expired it just keeps asking him for his password and then locks his account.</P><P></P><P>What have I do wrong or maybe better how do you properly set this up on a radius server.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 15 Jan 2008 16:13:23 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874869#M408304 boschrexroth 2008-01-15T16:13:23Z https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874870#M408306 <HTML><HEAD></HEAD><BODY><P>This is the command you are looking for. </P><P></P><P>password-management </P><P></P><P><A class="jive-link-custom" href="http://cisco.com/en/US/docs/security/asa/asa71/command/reference/p_711.html#wp1643267" target="_blank">http://cisco.com/en/US/docs/security/asa/asa71/command/reference/p_711.html#wp1643267</A> </P><P></P><P>Once enabled on the firewall all you have to do is make sure you are allowing mschap v2 in your remote access policy on IAS server. </P><P></P><P>When the user connects to the vpn and their password has expired, it will prompt them to change their password. </P><P></P><P>hostname(config)# tunnel-group group-name general-attributes </P><P>hostname(config-tunnel-general)# password-management</P><P></P><P>edit: There is also a checkbox in the remote access policy in IAS to "allow user to change password after it expires"...check it.</P></BODY></HTML> Tue, 15 Jan 2008 16:15:58 GMT https://community.cisco.com/t5/network-access-control/asa-vpn-authentication/m-p/874870#M408306 acomiskey 2008-01-15T16:15:58Z