05-31-2015 12:29 PM
Is it possible to authenticate a vpn user in ASA first in LDAP and if the user is not found then try the internal database of the device (or vice versa)?
Thank you.
Solved! Go to Solution.
06-04-2015 05:42 AM
Hello,
As far as I know, it is impossible. You can fall back to LOCAL Database only, if AAA Server, which is used for authentication (AD in your case) is not available at the moment.
But you can configure two differen connection profiles (tunnel groups) on ASA. For the first group you can configure LDAP authentication, for the second - LOCAL authentification.
Then you can instruct remote users: Try the first connection profile on your Anyconnect client (or browser in case of clientless vpn). If authentication is unsuccessful, please, try the second connection profile.
P.S. In this case you need to enable "Allow user to select connection profile on the login page" option in ASDM or, if you use CLI:
ciscoasa(config)#webvpn ciscoasa(config-webvpn)#tunnel-group-list enable
06-04-2015 05:42 AM
Hello,
As far as I know, it is impossible. You can fall back to LOCAL Database only, if AAA Server, which is used for authentication (AD in your case) is not available at the moment.
But you can configure two differen connection profiles (tunnel groups) on ASA. For the first group you can configure LDAP authentication, for the second - LOCAL authentification.
Then you can instruct remote users: Try the first connection profile on your Anyconnect client (or browser in case of clientless vpn). If authentication is unsuccessful, please, try the second connection profile.
P.S. In this case you need to enable "Allow user to select connection profile on the login page" option in ASDM or, if you use CLI:
ciscoasa(config)#webvpn ciscoasa(config-webvpn)#tunnel-group-list enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide