cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
595
Views
5
Helpful
3
Replies

AnyConnect Authentication with two databases(local and Active direcotry ldap) at the same time

WiLL-I-Am
Beginner
Beginner

1st-

If I add authentication-server-group xyz local under my AnyConnect tunnel-group, is it going to only authenticate users against LDAP?

 

ASA(config)# tunnel-group xxx general-attributes
ASA(config-tunnel-general)# authentication-server-group xyz LOCAL
ASA(config-tunnel-general)# exit

 

ASA(config)# aaa-server xyz protocol ldap  
ASA(config-aaa-server-group)# aaa-server xyz (inside) host 192.168.100.10
ASA(config-aaa-server-group)# ldap-base-dn dc=microsoft,dc=com
.
.

what if we want to first authenticate based on the ASA local DB and then go for active directory?

 

2nd-

How can I copy this to active directory, if I copy it the same way in hashed pass, it's still gonna pass the authentication?

username XXX030y password fj1dlA2jO9u8hZ51 encrypted

 

Thx

3 Replies 3

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

1) The ASA only has a fallback from the external server to LOCAL. Only when the external server is not reachable, the local database is queried. You could configure two tunnel-groups, one with LDAP, one with LOCAL, but that is of course not the same as you want.

2) No, the way of hashing passwords is different between the ASA and AD.

so even worse now that I can't just copy the local db to AD, and I can't decrypt them either, the only way is to make two connection profiles?

so imagine our enterprise has 2000 users using our AnyConnect there is no way for me to switch them to AD without resetting their password?

so even worse now that I can't just copy the local db to AD, and I can't decrypt them either, the only way is to make two connection profiles?

so imagine our enterprise has 2000 users using our AnyConnect there is no way for me to switch them to AD without resetting their password?

the only workaround I can think of is designing a webpage to reset their passwords by putting their email, so it can automate the process a lil bit, but this can't avoid them complaining for months that we can't login what happened suddenly?!....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers