cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5412
Views
1
Helpful
13
Replies

Anyconnect AD Authentication

NETAD
Level 4
Level 4

Hello, can you assist in getting this working? Attached is my config. I don't know what else I could be missing.

 

Thanks

2 Accepted Solutions

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Is this an AD server?

Normally the admin user is in the users OU.

If so the config should be:

ldap-login-dn cn=Administrator, cn=Users, dc=vlab,dc=com

 

If the admin account is in another ou adapt the config.

 

Not mandatory but you can add under your ldap config the following statement:

server-type microsoft

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Yes you'll need to use attribute map for that.

 

For your reference a Cisco doc showing how to do that:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

13 Replies 13

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Is this an AD server?

Normally the admin user is in the users OU.

If so the config should be:

ldap-login-dn cn=Administrator, cn=Users, dc=vlab,dc=com

 

If the admin account is in another ou adapt the config.

 

Not mandatory but you can add under your ldap config the following statement:

server-type microsoft

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks Francesco, it was a typo on my end. I used sAMAaccount instead of sAMAccount and plus I changed the ldap-login-dn to cn=Users,cn=administrator... and it worked like a charm. If I need to authenticated certain users based on their connection profile and their group membership in AD I'll have to use an attribute map correct?

Yes you'll need to use attribute map for that.

 

For your reference a Cisco doc showing how to do that:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco, I added the ldap attribute-map configuration. In the debug it shows that authentication is successful but it seems like the attribute-map is not triggered for some reason. I attached the config I have so far. Please review it and advise. Thank you. 

What version of ASA are you running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

9.8 on a 5506

It's been a while i didn't used ldap to authenticate users. I prefer using radius, less headache.

 

Can you try replacing your actual map-name with:

map-name memberOf IETF-Radius-Class


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I agree with you. That didn't work. What's weird is that the debug shows successful but the login fails on anyconnect.

Can you run a debug crypto when trying to connect to see what's going on?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

it's using the group-policy NOACCESS which allows 0 simultaneous logins but that should force it to use the attribute map but it's not.

I just saw that you asked for debug crypto but I'm doing this with ssl. I tried debug webvpn but no output comes up when connecting.

Hi Francesco, I did this today on a customer's firewall using the same config and it worked like a charm. I guess certain things don't execute in a lab like they do in the wild. Thanks for your help anyway.

Your config was good and you were facing a strange behavior.
But if it works on your customer firewall that's the most important.
You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question