Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
5
Helpful
1
Replies

ASA and Active Directory authorization issue

Ilya Semenov
Level 1
Level 1

‎12-27-2017 02:08 AM - edited ‎02-21-2020 10:42 AM

Hello, everybody,

 

I have an office where ASA 5508 on the edge and users are allowed to browse Internet after they've logged with their AD credentials. Everything works fine, except one thing:

 

Some users work with laptops connected to wired network. Sometimes they attend meetings where they have to use Wifi connection. After they change wired connection to wireless, ASA restrict them Internet access.  It happens until "account logon" event in AD occurs.

 

How could I manually initiate accout logon or configure ASA to allow a user to use wired and wireless network? I mean, without a long period of time to wait...

 

Here is my AAA configuration:

 

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.39.1.11
ldap-base-dn DC=blablabla,DC=ru
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=RU-SCCMNetAccess,OU=IT,OU=.RU,DC=blablabla,DC=ru
server-type microsoft
ldap-attribute-map ANYCONNECT-LOGIN
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host
timeout 60
server-port 636
ldap-base-dn dc=
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL

 

I could provide any information required.

 

Many thanks in advance,

 

Ilya

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-28-2017 03:15 AM

Unfortunately the ASA only knows what the AD servers tells it. Until there’s a new login event it won’t know the user has changed addresses in moving from wired to wireless. 

 

If if you had something like Cisco ISE it could authorize both wired and wireless users as they move around. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents