Configuring AAA on ASA for VPN with Microsoft AD

kdbobb · ‎11-14-2012

I Have VPN users authenticating with my MS-Active Directory for my internal users.

Now I would like to move my Vendors from a VPN3030 Concentor to Active Directory and use MS-Active Directory for Authentication.

I would like to duplicate the Access list restrictions and filters I have on the VPN3030 on the ASA.

How do I Set up the ASA to get an access list for a user from the MS-Active Directory and apply that to a vpn session.

The AD has fields called msRadiusFramedRoute that looks promising?

Kenneth.

Jennifer Halim · ‎11-16-2012

Currently you are configurating ldap attribute map on the ASA to map it against a specific group policy.

Have you configured the AD with the access-list, or you are just about to configure it?

Or do you want to just configure the VPN filter on the ASA group-policy itself since you already configure attribute map to map it to a specific group policy.

kdbobb · ‎11-16-2012

I was hoping instead of creating 20 different Access list on the ASA. have the ASA pull the access-list from

the AD controller for the set of rules that apply to traffic for a specified vendor.

Here is what I want to accomplish.

All vendors access 10.1.3.x network DNS servers.

vendor A access 10.1.20.x network and 10.1.18 network

vendor B access 10.1.18.20 host only and 10.1.15.1/28 network.

vendor C access only host 10.10.10.10

vendor D access only host 10.10.20.25

vendor E access only network 10.100.x.x

etc, etc, etc, etc,

I was hoping to manage it all with AD.

Jennifer Halim · ‎11-17-2012

ahhh, in that case you can use the ldap attribute map, mapping the ldap attribute "info" to the cisco attribute "Cisco-AV-Pairs".

Here is the ACL syntax for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1763743