Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
5
Helpful
3
Replies

AnyConnect Authentication with two databases(local and Active direcotry ldap) at the same time

WiLL-I-Am
Beginner
Beginner

‎09-03-2020 03:28 PM - edited ‎09-04-2020 12:44 AM

1st-

If I add authentication-server-group xyz local under my AnyConnect tunnel-group, is it going to only authenticate users against LDAP?

 

ASA(config)# tunnel-group xxx general-attributes
ASA(config-tunnel-general)# authentication-server-group xyz LOCAL
ASA(config-tunnel-general)# exit

 

ASA(config)# aaa-server xyz protocol ldap  
ASA(config-aaa-server-group)# aaa-server xyz (inside) host 192.168.100.10
ASA(config-aaa-server-group)# ldap-base-dn dc=microsoft,dc=com 
.
.

what if we want to first authenticate based on the ASA local DB and then go for active directory?

 

2nd-

How can I copy this to active directory, if I copy it the same way in hashed pass, it's still gonna pass the authentication?

username XXX030y password fj1dlA2jO9u8hZ51 encrypted

 

Thx

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

‎09-05-2020 09:41 AM

1) The ASA only has a fallback from the external server to LOCAL. Only when the external server is not reachable, the local database is queried. You could configure two tunnel-groups, one with LDAP, one with LOCAL, but that is of course not the same as you want.

2) No, the way of hashing passwords is different between the ASA and AD.

WiLL-I-Am
Beginner
Beginner
In response to Karsten Iwen

‎09-05-2020 10:33 AM - edited ‎09-05-2020 10:34 AM

so even worse now that I can't just copy the local db to AD, and I can't decrypt them either, the only way is to make two connection profiles?

so imagine our enterprise has 2000 users using our AnyConnect there is no way for me to switch them to AD without resetting their password?

0 Helpful

WiLL-I-Am
Beginner
Beginner
In response to WiLL-I-Am

‎09-05-2020 12:41 PM - edited ‎09-05-2020 12:58 PM

so even worse now that I can't just copy the local db to AD, and I can't decrypt them either, the only way is to make two connection profiles?

so imagine our enterprise has 2000 users using our AnyConnect there is no way for me to switch them to AD without resetting their password?

the only workaround I can think of is designing a webpage to reset their passwords by putting their email, so it can automate the process a lil bit, but this can't avoid them complaining for months that we can't login what happened suddenly?!....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents