07-12-2010 09:13 AM - edited 02-21-2020 04:43 PM
Hi,
I have a Cisco ASA5520 and have configured it to authenticate against AD using a win2008 box running Network policy server.
In ASDM I can test the auth and it works.
In ASDM->Device Management->AAA Access I can set which auth group I use to auth a user for enable, Telnet, SSH, ASDM/HTTP. When I set SSH to auth using the AD auth group that I created, it works fine....so I know the authentication is working.
Trouble is, it doesn't seem to work for a user authenticating with annyconnect VPN. I don't seem to be able to find how I tell the ASA to use my AD auth group and not the LOCAL auth group to authenticate VPN users.
Any help is greatly appreciated.
Thankx
M
Solved! Go to Solution.
07-13-2010 05:16 AM
Try this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
But you're probably landing on the defaultwebvpngroup, so change the authentication to be your ldap/ntlm aaa server group there and see if the behavior changes.
By default, SSL connectivity uses the DefaultWEBVPNGroup tunnel-group/connection profile. If you don't want to use that profile/tunnel-group, you have to use either aliases or group-urls to get it to land on a different one:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
--Jason
07-13-2010 05:16 AM
Try this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
But you're probably landing on the defaultwebvpngroup, so change the authentication to be your ldap/ntlm aaa server group there and see if the behavior changes.
By default, SSL connectivity uses the DefaultWEBVPNGroup tunnel-group/connection profile. If you don't want to use that profile/tunnel-group, you have to use either aliases or group-urls to get it to land on a different one:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
--Jason
07-13-2010 07:39 AM
Yep...works now...just changed the auth method for DefaultWEBVPNGroupto the auth group I created and ....sweeet works!
Thanx
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: