Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
5
Helpful
3
Replies

ASA AD RSA Integration

Go to solution
Mokhalil82
Level 4
Level 4

‎01-26-2016 09:03 AM

Hi

We currently have a ASA firewall, where the users authenticate using RSA Tokens. When we create a new user in RSA, the username needs to match their AD username. So the ASA uses RSA as the radius server for authentication.

For our Remote Access VPN, we have many group policies on the ASA, and the ASA assigns the correct group policy depending on the users associated Radius profile in RSA. 

We would now like to drop RSA totally and use AD for authentication and profile association. Can anyone advise if this would be straightforward. I want the ASA to authenticate VPN users with AD and assign a profile so each user uses the correct group policy

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jagmeesi
Level 1
Level 1

‎01-26-2016 09:55 AM

Hi

It is possible to assign group-policy through AD authentication for the Users in a Particular Group on AD. I am assuming as it is though AD you will mostly be using LDAP for the same .Please go through the following links on more info:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Regards

Jagmeet

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-26-2016 09:59 AM

If you already have all your group-policies in place, then one easy way would be to install the RADIUS service on a Windows-Server and authenticate your users through RADIUS. For each user-group you have one Radius-profile which assigns the group-policy through the RADIUS attribute 25 ("class").

You could also use LDAP for authentication, but that is slightly more complex on the ASA.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jagmeesi
Level 1
Level 1

‎01-26-2016 09:55 AM

Hi

It is possible to assign group-policy through AD authentication for the Users in a Particular Group on AD. I am assuming as it is though AD you will mostly be using LDAP for the same .Please go through the following links on more info:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Regards

Jagmeet

0 Helpful

Go to solution
jagmeesi
Level 1
Level 1

‎01-26-2016 09:56 AM

Please go through this discussion as well:

https://supportforums.cisco.com/discussion/10882191/cisco-asa-authenticate-users-specific-ldap-group

Regards

Jagmeet

Go to solution
Karsten Iwen
VIP
VIP

‎01-26-2016 09:59 AM

If you already have all your group-policies in place, then one easy way would be to install the RADIUS service on a Windows-Server and authenticate your users through RADIUS. For each user-group you have one Radius-profile which assigns the group-policy through the RADIUS attribute 25 ("class").

You could also use LDAP for authentication, but that is slightly more complex on the ASA.

0 Helpful
Customers Also Viewed These Support Documents