topic Re: integrate VPN with AD in Network Security

integrate VPN with AD

mautez_mah — Mon, 09 May 2022 07:55:07 GMT

Hi ,
I am working in FW ASA ,
SSL-VPN integrated with AD ,and all users created in AD within specific group
how can I add new group to AD and match it in ASA
how can ASA know that group in ASA should got users from specific Group in AD
ju

Re: integrate VPN with AD

Rob Ingram — Mon, 09 May 2022 08:07:19 GMT

@mautez_mah

If using LDAP, utilise an LDAP attribute map to map AD group.

https://integratingit.wordpress.com/2020/04/03/asa-remote-access-vpn-using-ldap/

Re: integrate VPN with AD

mautez_mah — Mon, 09 May 2022 08:16:28 GMT

@Rob Ingram
many thanks , can I know how to do it thru ASDM please 🙂

Re: integrate VPN with AD

Rob Ingram — Mon, 09 May 2022 08:19:56 GMT

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

https://www.petenetlive.com/KB/Article/0001152

Re: integrate VPN with AD

Flavio Miranda — Mon, 09 May 2022 08:25:04 GMT

How are using the AD on this case? Are you using LDAP protocol on ASA or do you use ISE and then ISE integrates with AD?

Why does your vpn users can not just be on the vpn user group?

Re: integrate VPN with AD

mautez_mah — Tue, 10 May 2022 09:12:16 GMT

@Flavio Miranda

I am using AD not ISE , I just need to know how to match group in ASA with group in AD

Re: integrate VPN with AD

mautez_mah — Tue, 10 May 2022 09:14:41 GMT

@Rob Ingram
I have attached screen-shots , I can't see configuration for LDAP or Access dynamic ,
even we are using AD for all VPN users , is this because FW is context

Re: integrate VPN with AD

Rob Ingram — Tue, 10 May 2022 09:49:30 GMT

@mautez_mah the screenshot is of the LDAP attribute map, which won't be configured.

Please provide your configuration for review, so we can determine what you have configured.

Re: integrate VPN with AD

Flavio Miranda — Tue, 10 May 2022 10:11:21 GMT

AD and ISE are completely different things. What I asked is if you are using ISE or searching the AD with LDAP directling from ASA

then you need to follow this instruction:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Then, I said that instead searching for group if dont make more sense add one group for VPN users and then look at this group only but if what work for you is search for a group on AD using LDAP from ASA.

"On the ASA, this is regularly achieved through the assignment of different group policies to different users. When LDAP authentication is in use, this can be achieved automatically with an LDAP attribute map. In order to use LDAP to assign a group policy to a user, you must map an LDAP attribute, such as the AD attribute memberOf to the Group-Policy attribute that is understood by the ASA. Once the attribute mapping is established, you must map the attribute value configured on the LDAP server to the name of a group policy on the ASA.

Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy.""

Re: integrate VPN with AD

mautez_mah — Wed, 11 May 2022 09:58:47 GMT

@Rob Ingram
Thanks ,
I did a group policy and Tunnel Group in ASA , could you please tell me what conf your asked me to shared
in AD I configured NPS for new group
Note : there are groups have already working fine and I tried to match all features either in AD or in ASA but still showing Login falied ,