Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3054
Views
0
Helpful
1
Replies

ASA5505 authentication Via AD

Go to solution
pwynne2009
Level 1
Level 1

‎12-21-2010 04:19 AM

Hi,

I am trying to get domain users to authenticate to my network via Active directory but i cannot get this running. local user accounts on the ASA are working fine.

I have a tunnel group and policy but i am struggling with getting it to talk to AD.

below is the configuration I have applied for this:

aaa-server RADIUS protocol radius
reactivation-mode timed
aaa-server RADIUS (inside) host winserver
key radius
radius-common-pw radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.16.0 255.255.255.0 inside

group-policy RemoteAccessVPN internal
group-policy RemoteAccessVPN attributes
wins-server value 192.168.16.1
dns-server value 192.168.16.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccessVPN-splitTunnelACL
default-domain value amcs.local
address-pools value asaVPNPool

tunnel-group DefaultRAGroup general-attributes
address-pool asaVPNPool
authentication-server-group RADIUS LOCAL
authorization-server-group RADIUS
accounting-server-group RADIUS
default-group-policy RemoteAccessVPN
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-21-2010 04:53 AM

Are you using Radius protocol to communicate with your AD? are you  using IAS server on your AD for the authentication? or you would like to  authenticate natively through AD?

If you are using native AD, then I would suggest that you use aaa-server with protocol LDAP.

Here is a sample configuration for LDAP authentication to AD:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

However,  if you are using Radius, authenticating to IAS server on your AD, then  you might want to check if the IAS server has any policy that might be  blocking the authentication from the ASA.

I also notice  that you have authorization and accounting configured. Are you using  those 2, if not, then you can remove the following lines:

authorization-server-group RADIUS
accounting-server-group RADIUS

Lastly, I also notice that you haven't defined which remote access vpn you are actually using, and it hasn't been enabled. You would need to configure "vpn-tunnel-protocol" under the "RemoteAccessVPN" group policy. You would need to enable either "ipsec" or "svc" or both if you are planning to use both.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-21-2010 04:53 AM

Are you using Radius protocol to communicate with your AD? are you  using IAS server on your AD for the authentication? or you would like to  authenticate natively through AD?

If you are using native AD, then I would suggest that you use aaa-server with protocol LDAP.

Here is a sample configuration for LDAP authentication to AD:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

However,  if you are using Radius, authenticating to IAS server on your AD, then  you might want to check if the IAS server has any policy that might be  blocking the authentication from the ASA.

I also notice  that you have authorization and accounting configured. Are you using  those 2, if not, then you can remove the following lines:

authorization-server-group RADIUS
accounting-server-group RADIUS

Lastly, I also notice that you haven't defined which remote access vpn you are actually using, and it hasn't been enabled. You would need to configure "vpn-tunnel-protocol" under the "RemoteAccessVPN" group policy. You would need to enable either "ipsec" or "svc" or both if you are planning to use both.

0 Helpful
Customers Also Viewed These Support Documents