07-12-2010 09:13 AM - edited 02-21-2020 04:43 PM
Hi,
I have a Cisco ASA5520 and have configured it to authenticate against AD using a win2008 box running Network policy server.
In ASDM I can test the auth and it works.
In ASDM->Device Management->AAA Access I can set which auth group I use to auth a user for enable, Telnet, SSH, ASDM/HTTP. When I set SSH to auth using the AD auth group that I created, it works fine....so I know the authentication is working.
Trouble is, it doesn't seem to work for a user authenticating with annyconnect VPN. I don't seem to be able to find how I tell the ASA to use my AD auth group and not the LOCAL auth group to authenticate VPN users.
Any help is greatly appreciated.
Thankx
M
Solved! Go to Solution.
07-13-2010 05:16 AM
Try this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
But you're probably landing on the defaultwebvpngroup, so change the authentication to be your ldap/ntlm aaa server group there and see if the behavior changes.
By default, SSL connectivity uses the DefaultWEBVPNGroup tunnel-group/connection profile. If you don't want to use that profile/tunnel-group, you have to use either aliases or group-urls to get it to land on a different one:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
--Jason
07-13-2010 05:16 AM
Try this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml
But you're probably landing on the defaultwebvpngroup, so change the authentication to be your ldap/ntlm aaa server group there and see if the behavior changes.
By default, SSL connectivity uses the DefaultWEBVPNGroup tunnel-group/connection profile. If you don't want to use that profile/tunnel-group, you have to use either aliases or group-urls to get it to land on a different one:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
--Jason
07-13-2010 07:39 AM
Yep...works now...just changed the auth method for DefaultWEBVPNGroupto the auth group I created and ....sweeet works!
Thanx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide