Hi Please check the

Haim Zohar · ‎07-28-2014

Hello All,

I'm using cisco asa 5512-x asdm

asa version 9.1(2)

asdm version 7.2(1)

I configured my ldap server and tested it, connection is ok.

but I'm not sure how to configure my ipsec remote vpn, to authenticate users who belong to active directory "VPN" group only, and deny all else.

I created a dynamic access group on asdm, is that enough?

please try to explain it to me simply since I'm not all of that good with cisco cli, if it's possible to explain in asdm way, that would be preferred.

Thank you very much.

rvarelac · ‎07-28-2014

Hi Henry Green

If you already have working your LDAP and the REMOTE VPN the next step is to use the LDAP to authenticate the VPN remote users.

You need to add the next config to your tunnel group:

ciscoasa(config)#tunnel-group testgroup general-attributes
ciscoasa(config-tunnel-general)#authentication-server-group LDAP

Also check this useful link:

https://supportforums.cisco.com/document/139241/remote-access-vpn-asa-authentication-using-ldap-server

-Hope this helps -

Haim Zohar · ‎07-29-2014

Hi Rvarelac,

Thank you for the reply,

but my question is, how do I narrow the LDAP scope just to a specific ldap group?

I have an ldap group called "VPN", I want them and them alone to be able to authenticate via remote VPN

any advices?

mohanak · ‎07-29-2014

the ASA checks with an LDAP server in order to verify the identity of users that it authenticates. This process does not work like a traditional Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) exhange. These steps explain, at a high level, how the ASA uses an LDAP server in order to check user credentials.

Verify the links for configuration:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

The user initiates a connection to the ASA.
The ASA is configured to authenticate that user with the Microsoft Active Directory (AD)/LDAP server.
The ASA binds to the LDAP server with the credentials configured on the ASA (admin in this case), and looks up the provided username. The admin user also obtains the appropriate credentials to list contents within Active Directory. Refer to http://support.microsoft.com/?id=320528 for more information about how to grant LDAP query privileges.
Note: The Microsoft website at http://support.microsoft.com/?id=320528 is managed by a third party provider. Cisco is not responsible for its content.
If the username is found, the ASA attempts to bind to the LDAP server with the credentials that the user provided at login.
If the second bind is successful, authentication succeeds and the the ASA processes the attributes of the user.
Note: In this example the attributes are not used for anything. Refer to ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example in order to see an example of how the ASA can process LDAP attributes.

Haim Zohar · ‎07-29-2014

The LDAP connection and binding is working well,

but the issue is, that right now any LDAP user is allowed to authenticate via VPN (ipsec remote vpn using cisco vpn client)

which is a problem for me, so how do I permit only a specific LDAP group members to authenticate?

(If the answer was already provided in your post and I didn't get it, I apologize, please break it down simply for me to understand if possible)

Thank you very much.

minkumar · ‎08-07-2014

Hi

Please check the following link that has an example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

Cheers!!

Minakshi(Do rate the helpful posts)

ldap authentication