cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1225
Views
0
Helpful
1
Replies

ASA VPN authentication LDAP and internal database

leos.pohl
Level 1
Level 1

Is it possible to authenticate a vpn user in ASA first in LDAP and if the user is not found then try the internal database of the device (or vice versa)?

Thank you.

1 Accepted Solution

Accepted Solutions

Boris Uskov
Level 4
Level 4

Hello, 

As far as I know, it is impossible. You can fall back to LOCAL Database only, if AAA Server, which is used for authentication (AD in your case) is not available at the moment.

But you can configure two differen connection profiles (tunnel groups) on ASA. For the first group you can configure LDAP authentication, for the second - LOCAL authentification.

 

Then you can instruct remote users: Try the first connection profile on your Anyconnect client (or browser in case of clientless vpn). If authentication is unsuccessful, please, try the second connection profile.

 

P.S. In this case you need to enable "Allow user to select connection profile on the login page" option in ASDM or, if you use CLI:

ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#tunnel-group-list enable

View solution in original post

1 Reply 1

Boris Uskov
Level 4
Level 4

Hello, 

As far as I know, it is impossible. You can fall back to LOCAL Database only, if AAA Server, which is used for authentication (AD in your case) is not available at the moment.

But you can configure two differen connection profiles (tunnel groups) on ASA. For the first group you can configure LDAP authentication, for the second - LOCAL authentification.

 

Then you can instruct remote users: Try the first connection profile on your Anyconnect client (or browser in case of clientless vpn). If authentication is unsuccessful, please, try the second connection profile.

 

P.S. In this case you need to enable "Allow user to select connection profile on the login page" option in ASDM or, if you use CLI:

ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#tunnel-group-list enable