Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1403
Views
0
Helpful
5
Replies

Using Active Directory users to manage Cisco ASA 5510

gamercoar
Level 1
Level 1

‎12-29-2012 06:58 AM - edited ‎03-10-2019 07:55 PM

Hi,

Sorry if I'm not posting this in the right area, just let me know where it should go and I'll repost it there.

I know that our VPN users currently use Active Directory to authenticate their VPN sessions, so now I'm wondering if there is an easy way to configure my company's Cisco ASA 5510 to use either a Windows Server 2008 R2 Active Directory group (preferred method) or specific Active Directory users (less preferred) and authenticate them for management access (privilege level 15) using their Active Directory credentials. I do not want this to change the IP range used for ASDM/HTTPS/Telnet/SSH access (currently all local networks, no VPN), as those are settings that my company does not want changed.

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎12-29-2012 07:32 PM

Hello Chris-

For this you will need either a Radius or a TACACS+ server. There are lot of open source Radius servers out there (Open Radius) and if you have Windows Server you can use their built-in NPS server as well. Otherwise you can go with something like Cisco' ISE or ACS which both include Radius. In addition, ACS includes TACACS+ which provides you the most granularity when it comes to authorizing users.

Hope this helps!

Thank you for rating!

0 Helpful

gamercoar
Level 1
Level 1
In response to nspasov

‎12-29-2012 08:24 PM

We already have a RADIUS server in place, it's how we are authenticating our VPN users. What I really need is the how to configure the ASDM/HTTPS/Telnet/SSH management access to the ASA that authenticates the user against Active Directory instead of either:

a) a preshared password for one account, or

b) setting up individual local user accounts on the ASA for the IT staff

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to gamercoar

‎12-29-2012 08:34 PM

OK what type of Radius server are you using and do you need help with the Radius server configuration or the ASA?

0 Helpful

gamercoar
Level 1
Level 1
In response to nspasov

‎12-29-2012 09:24 PM

I only started at my company a few months back, so I don't know what kind of RADIUS server we have, but I can see from our VPN configuration that we have one and that we use it to authenticate our VPN users. I *think* all I need is help configuring the ASA to use it for management access for either an AD group or specified AD users, though if something needs to be specially configured on the RADIUS server, then I'll have to figure that out elsewhere.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to gamercoar

‎12-31-2012 09:19 AM

This is where we need to start. You need to find out what type, make and model of Radius server you have. From there we can try to figure out what and how the setup should look. The good news is that since it is already integrated for your VPN connection then it should not be too much work to get the rest going.

0 Helpful
Customers Also Viewed These Support Documents