05-16-2011 09:17 AM
Can EZVPN use LDAP for authentication? If yes, how can I set it up?
glh
05-16-2011 05:35 PM
EZVPN server on ASA? Yes, you can use LDAP to authenticate.
aaa-server AD protocol ldap
aaa-server AD (inside) host WINDOWS_DC_SERVER
server-port 3268 (or 389)
ldap-base-dn DC=domain,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password
ldap-login-dn CN=ciscoasa,CN=Users,DC=domain,DC=com
server-type microsoft
!
tunnel-group EZVPN type remote-access
tunnel-group EZVPN general-attributes
address-pool VPNPOOL
authentication-server-group AD
05-16-2011 06:11 PM
Roman -
Thanks for the timely response, this will help do the trick.
Thanks,
Greg L. Harper, CISA, CISM
Manager, Information Systems Security
Children's Mercy Hospital
x51161
05-16-2011 06:40 PM
By the way, you might decide that you want only specific users (in your case it's just one ezvpn user) allowed access to VPN. You can then put the user in AD into a special group, call it VPN, and do this on ASA:
ldap attribute-map CISCOMAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN,DC=domain,DC=com" VPNPolicy (VPNPolicy is your group policy used by ezvpn)
!
aaa-server VPNldap (inside) host x.x.x.x
ldap-attribute-map CISCOMAP
!
group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 0
!
tunnel-group EZVPN general-attributes (EZVPN is your ezvpn tunnel-group name)
default-group-policy noaccess
You are basically forcing anyone using EZVPN group name into noaccess group-policy which will fail login because of "vpn-simultaneous-logins 0", but if the user is part of AD VPN group, it will through the user into VPNPolicy group policy instead (not shown in this config)
You can see what LDAP returns for group membership by doing "debug ldap 20"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide