Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
257
Views
0
Helpful
3
Replies

ASA Authentication for its RAVPN

fatalXerror
Level 5
Level 5

‎05-27-2016 12:23 AM - edited ‎03-12-2019 12:48 AM

Hi Guys,

Good Day!

I would like to seek for your expertise.

We have an issue that RAVPN users cannot authenticate to their AD. We have a setup that Company A has its own RAVPN headend and even in the Company B. Company A users can connect using their own VPN headend and same with Company B they can connect using their own VPN headend.

The requirement now is that Company A should be able to connect to their RAVPN using Company B VPN headend and vice versa. Upon testing it, Company A tries to connect in their RAVPN using Company B VPN headend and it works but when Company B tries to connect using Company A it doesn't work.

Here's the setup, Company A's ASA has connection to their Company A AD and Company B AD via LDAP. Company B's ASA has a connection to the their ISE then the ISE communicates to Company A and Company B AD via RADIUS.

We are suspecting that Company A needs to have ISE for this to work or ASA alone can do this via LDAP?

Thanks

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎05-27-2016 12:23 PM

There are so many solutions to this.

If money is no issue, then deploy a Cisco ISE at Company 'A' so both companies are configured identically.

If no one wants to spend any money, then deploy Microscoft NPS at company 'A'.  NPS is the RADIUS server that comes with Windows.  Then change to using RADIUS authentication.  Configure NPS to authenticate users for both sites.

Another option is to use configure two separate VPNs at Company 'A'.  Point one at the AD for Company 'A' and the other to the AD for company 'B'.

Another option is to point BOTH ASA's at the ISE server at company 'B'.  This option may be the simplest.

0 Helpful

Paul Chapman
Level 4
Level 4
In response to Philip D'Ath

‎05-28-2016 11:00 AM

Hi -

Philip hit it on the nose, but there are 2 more possibilities here...

If A & B have created a trust between their ADs, then we can use the trust to authenticate users from either domain.  Instead of using port 389 for regular LDAP lookups, use 3268 to query against the Global Catalog.

Alternately, use separate VPN groups (tunnel groups) to control your authentication.  A users get profile A and B users get profile B.  Nothing prevents you from having multiple AAA server configurations on an ASA.  (You may be doing it now... Admins authenticate against ACS while VPN users authenticate against RADIUS, NT (deprecated), or AD.)

PSC

0 Helpful

fatalXerror
Level 5
Level 5
In response to Paul Chapman

‎05-29-2016 05:55 PM

Hi Paul and Philip,

Good Day!

Thanks for the detailed feedback.

So I think there's such a misconfiguration in mhy client's ASA because they cannot authenticate to the Company B's AD.

My theoy before is that since there will be 2 AAA servers configured in the ASA itself the Company A is still alive that's why it will not fallback to Company B's AD in return, failing the authentication.

Thanks again.

Cheers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card