cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
0
Helpful
13
Replies
Highlighted
Participant

Anyconnect AD Authentication

Hello, can you assist in getting this working? Attached is my config. I don't know what else I could be missing.

 

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advisor

Re: Anyconnect AD Authentication

Hi

 

Is this an AD server?

Normally the admin user is in the users OU.

If so the config should be:

ldap-login-dn cn=Administrator, cn=Users, dc=vlab,dc=com

 

If the admin account is in another ou adapt the config.

 

Not mandatory but you can add under your ldap config the following statement:

server-type microsoft

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
VIP Advisor

Re: Anyconnect AD Authentication

Yes you'll need to use attribute map for that.

 

For your reference a Cisco doc showing how to do that:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
13 REPLIES
VIP Advisor

Re: Anyconnect AD Authentication

Hi

 

Is this an AD server?

Normally the admin user is in the users OU.

If so the config should be:

ldap-login-dn cn=Administrator, cn=Users, dc=vlab,dc=com

 

If the admin account is in another ou adapt the config.

 

Not mandatory but you can add under your ldap config the following statement:

server-type microsoft

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Participant

Re: Anyconnect AD Authentication

Thanks Francesco, it was a typo on my end. I used sAMAaccount instead of sAMAccount and plus I changed the ldap-login-dn to cn=Users,cn=administrator... and it worked like a charm. If I need to authenticated certain users based on their connection profile and their group membership in AD I'll have to use an attribute map correct?

VIP Advisor

Re: Anyconnect AD Authentication

Yes you'll need to use attribute map for that.

 

For your reference a Cisco doc showing how to do that:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Participant

Re: Anyconnect AD Authentication

Hi Francesco, I added the ldap attribute-map configuration. In the debug it shows that authentication is successful but it seems like the attribute-map is not triggered for some reason. I attached the config I have so far. Please review it and advise. Thank you. 

VIP Advisor

Re: Anyconnect AD Authentication

What version of ASA are you running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Participant

Re: Anyconnect AD Authentication

9.8 on a 5506
VIP Advisor

Re: Anyconnect AD Authentication

It's been a while i didn't used ldap to authenticate users. I prefer using radius, less headache.

 

Can you try replacing your actual map-name with:

map-name memberOf IETF-Radius-Class


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Participant

Re: Anyconnect AD Authentication

I agree with you. That didn't work. What's weird is that the debug shows successful but the login fails on anyconnect.

VIP Advisor

Re: Anyconnect AD Authentication

Can you run a debug crypto when trying to connect to see what's going on?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Participant

Re: Anyconnect AD Authentication

it's using the group-policy NOACCESS which allows 0 simultaneous logins but that should force it to use the attribute map but it's not.

Participant

Re: Anyconnect AD Authentication

I just saw that you asked for debug crypto but I'm doing this with ssl. I tried debug webvpn but no output comes up when connecting.
Participant

Re: Anyconnect AD Authentication

Hi Francesco, I did this today on a customer's firewall using the same config and it worked like a charm. I guess certain things don't execute in a lab like they do in the wild. Thanks for your help anyway.
VIP Advisor

Re: Anyconnect AD Authentication

Your config was good and you were facing a strange behavior.
But if it works on your customer firewall that's the most important.
You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions