Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1379
Views
0
Helpful
5
Replies

Anyconnect with automatic Active Directory credentials authentification

sam cook
Spotlight
Spotlight

‎08-08-2018 08:46 AM

Hi,

 

I need to setup a new Anyconnect configuration with automatic Active Directory credentials authentification.

 

The purpose is that Anyconnect will be launched automatically with windows start and detect if the user is outside corporate network and connect remote VPN automatically using Active Directory credentials.

 

After some reserachers I found that I need to use : "Start VPN when AnyConnect is started" and "Trusted Network Detection"option .

 

But I still did not find how to enable automatic Active Directory credentials authentification.

 

Any help please ?

Labels:
0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎08-08-2018 11:58 PM

This can be done only using certificate authentication. Auto connection
won't work with AAA authentication.

What you can do is to have SCEP proxy with tunnel-group for users to enroll
and get certificates 1st time they connect. Then you have another
tunnel-group with certificate map that matches users connecting based on
CA-Name, for example, and accept their connections.
0 Helpful

sam cook
Spotlight
Spotlight
In response to Mohammed al Baqari

‎08-09-2018 12:31 AM

Hi @Mohammed al Baqari

Thank you for your help, so if I have well understood. First time , user need to manually login using his AD credentials, and then ASA will generate a certificate that wil be stored on the user machine and then used automatically at each VPn  start ?

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to sam cook

‎08-09-2018 12:57 AM

Thanks is correct in case you decided to go with my suggested solution.

2 x Tunnel Groups

tunnel-group 1 (one time use only when connecting 1st time)
*****************************
* AAA authentication
* SCEP proxy pointing to CA server to enroll users based in AD username
used for login to VPN

tunnel-group 2
*****************************
* Certificate authentication
* certificate-map matches certificates issues from test-lab ca server (or
any other attribute) and authenticate users.

This with TND and alway-on-VPN option or start vpn with client start
(depending on what you want) will give seemless experience to users with vpn
0 Helpful

sam cook
Spotlight
Spotlight
In response to Mohammed al Baqari

‎08-09-2018 01:17 AM

SCEP proxy pointing to CA server to enroll users based in AD username
used for login to VPN ==> CA server is my AD server ?

 

Certificate-map matches certificates issues from test-lab ca server (or
any other attribute) and authenticate users. ==> what's test-lab ca server ?

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to sam cook

‎08-09-2018 01:53 AM

CA is a ca server not AD server (you can have both roles in same server).

Test-lab is a dummy name I suggested for ca
0 Helpful
Customers Also Viewed These Support Documents