Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
5
Helpful
3
Replies

AnyConnect Authentication with two databases(local and Active direcotry ldap) at the same time

WiLL-I-Am
Level 1
Level 1

‎09-03-2020 03:28 PM - edited ‎09-04-2020 12:44 AM

1st-

If I add authentication-server-group xyz local under my AnyConnect tunnel-group, is it going to only authenticate users against LDAP?

 

ASA(config)# tunnel-group xxx general-attributes
ASA(config-tunnel-general)# authentication-server-group xyz LOCAL
ASA(config-tunnel-general)# exit

 

ASA(config)# aaa-server xyz protocol ldap  
ASA(config-aaa-server-group)# aaa-server xyz (inside) host 192.168.100.10
ASA(config-aaa-server-group)# ldap-base-dn dc=microsoft,dc=com 
.
.

what if we want to first authenticate based on the ASA local DB and then go for active directory?

 

2nd-

How can I copy this to active directory, if I copy it the same way in hashed pass, it's still gonna pass the authentication?

username XXX030y password fj1dlA2jO9u8hZ51 encrypted

 

Thx

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎09-05-2020 09:41 AM

1) The ASA only has a fallback from the external server to LOCAL. Only when the external server is not reachable, the local database is queried. You could configure two tunnel-groups, one with LDAP, one with LOCAL, but that is of course not the same as you want.

2) No, the way of hashing passwords is different between the ASA and AD.

WiLL-I-Am
Level 1
Level 1
In response to Karsten Iwen

‎09-05-2020 10:33 AM - edited ‎09-05-2020 10:34 AM

so even worse now that I can't just copy the local db to AD, and I can't decrypt them either, the only way is to make two connection profiles?

so imagine our enterprise has 2000 users using our AnyConnect there is no way for me to switch them to AD without resetting their password?

0 Helpful

WiLL-I-Am
Level 1
Level 1
In response to WiLL-I-Am

‎09-05-2020 12:41 PM - edited ‎09-05-2020 12:58 PM

so even worse now that I can't just copy the local db to AD, and I can't decrypt them either, the only way is to make two connection profiles?

so imagine our enterprise has 2000 users using our AnyConnect there is no way for me to switch them to AD without resetting their password?

the only workaround I can think of is designing a webpage to reset their passwords by putting their email, so it can automate the process a lil bit, but this can't avoid them complaining for months that we can't login what happened suddenly?!....

0 Helpful
Customers Also Viewed These Support Documents