ASA and Active Directory authorization issue

Ilya Semenov — Fri, 21 Feb 2020 18:42:29 GMT

Hello, everybody,

I have an office where ASA 5508 on the edge and users are allowed to browse Internet after they've logged with their AD credentials. Everything works fine, except one thing:

Some users work with laptops connected to wired network. Sometimes they attend meetings where they have to use Wifi connection. After they change wired connection to wireless, ASA restrict them Internet access. It happens until "account logon" event in AD occurs.

How could I manually initiate accout logon or configure ASA to allow a user to use wired and wireless network? I mean, without a long period of time to wait...

Here is my AAA configuration:

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.39.1.11
ldap-base-dn DC=blablabla,DC=ru
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=RU-SCCMNetAccess,OU=IT,OU=.RU,DC=blablabla,DC=ru
server-type microsoft
ldap-attribute-map ANYCONNECT-LOGIN
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host
timeout 60
server-port 636
ldap-base-dn dc=
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL

I could provide any information required.

Many thanks in advance,

Ilya

Re: ASA and Active Directory authorization issue

Marvin Rhoads — Thu, 28 Dec 2017 11:15:23 GMT

Unfortunately the ASA only knows what the AD servers tells it. Until there’s a new login event it won’t know the user has changed addresses in moving from wired to wireless.

If if you had something like Cisco ISE it could authorize both wired and wireless users as they move around.

topic Re: ASA and Active Directory authorization issue in Network Access Control

ASA and Active Directory authorization issue

Re: ASA and Active Directory authorization issue