Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
5
Helpful
3
Replies

VPN Authenntication - AD VPN Users Group membership- Kerberos Protocol

Chts
Level 1
Level 1

‎09-02-2018 02:30 PM

Hi All,

 

Can ASA(9.8) supports AD VPN users Group membership ( ex. Exernal_VPN_Users ) for authentication using Kerberos protocol? if so any configuration example would be greatly appreciated.

 

Many Thanks.

Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎09-03-2018 12:34 AM

ASA support Kerberos authentication. See this link.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/68881-aa-svrgrps-asdm.html

For AD Group authorization, you need to use DAP.

Chts
Level 1
Level 1
In response to Mohammed al Baqari

‎09-03-2018 01:35 AM

Thank you Mohammed.
We are using Win10 built-in VPN client which is presenting User certificate to ASA for authentication, should I use ikev2 remote-authentication eap query-identity or ikev2 remote-authentication certificate ?

Ref:
tunnel-group DefaultRAGroup ipsec-attributes
ikev2 remote-authentication eap query-identity
ikev2 local-authentication certificate VPN_Certificate




0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Chts

‎09-03-2018 04:00 AM

I haven't tried windows client for VPN. But since you are using cert auth,
then it should be remote-authentication certificate
0 Helpful
Customers Also Viewed These Support Documents