Solved: ASA VPN authentication LDAP and internal database

leos.pohl · ‎05-31-2015

Is it possible to authenticate a vpn user in ASA first in LDAP and if the user is not found then try the internal database of the device (or vice versa)?

Thank you.

Boris Uskov · ‎06-04-2015

Hello,

As far as I know, it is impossible. You can fall back to LOCAL Database only, if AAA Server, which is used for authentication (AD in your case) is not available at the moment.

But you can configure two differen connection profiles (tunnel groups) on ASA. For the first group you can configure LDAP authentication, for the second - LOCAL authentification.

Then you can instruct remote users: Try the first connection profile on your Anyconnect client (or browser in case of clientless vpn). If authentication is unsuccessful, please, try the second connection profile.

P.S. In this case you need to enable "Allow user to select connection profile on the login page" option in ASDM or, if you use CLI:

ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#tunnel-group-list enable

View solution in original post

Boris Uskov · ‎06-04-2015

Hello,

As far as I know, it is impossible. You can fall back to LOCAL Database only, if AAA Server, which is used for authentication (AD in your case) is not available at the moment.

But you can configure two differen connection profiles (tunnel groups) on ASA. For the first group you can configure LDAP authentication, for the second - LOCAL authentification.

Then you can instruct remote users: Try the first connection profile on your Anyconnect client (or browser in case of clientless vpn). If authentication is unsuccessful, please, try the second connection profile.

P.S. In this case you need to enable "Allow user to select connection profile on the login page" option in ASDM or, if you use CLI:

ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#tunnel-group-list enable