Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
0
Helpful
3
Replies

EZVPN Authentication

GREG HARPER
Level 1
Level 1

‎05-16-2011 09:17 AM

Can EZVPN use LDAP for authentication?  If yes, how can I set it up?


glh

Labels:
0 Helpful
3 Replies 3

Roman Rodichev
Level 7
Level 7

‎05-16-2011 05:35 PM

EZVPN server on ASA? Yes, you can use LDAP to authenticate.

aaa-server AD protocol ldap

aaa-server AD (inside) host WINDOWS_DC_SERVER

server-port 3268 (or 389)

ldap-base-dn DC=domain,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password

ldap-login-dn CN=ciscoasa,CN=Users,DC=domain,DC=com

server-type microsoft

!

tunnel-group EZVPN type remote-access

tunnel-group EZVPN general-attributes

address-pool VPNPOOL

authentication-server-group AD

0 Helpful

GREG HARPER
Level 1
Level 1
In response to Roman Rodichev

‎05-16-2011 06:11 PM

Roman -

Thanks for the timely response, this will help do the trick.

Thanks,

Greg L. Harper, CISA, CISM

Manager, Information Systems Security

Children's Mercy Hospital

x51161

0 Helpful

Roman Rodichev
Level 7
Level 7
In response to GREG HARPER

‎05-16-2011 06:40 PM

By the way, you might decide that you want only specific users (in your case it's just one ezvpn user) allowed access to VPN. You can then put the user in AD into a special group, call it VPN, and do this on ASA:

ldap attribute-map CISCOMAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf "CN=VPN,DC=domain,DC=com" VPNPolicy         (VPNPolicy is your group policy used by ezvpn)

!

aaa-server VPNldap (inside) host x.x.x.x

ldap-attribute-map CISCOMAP

!
group-policy noaccess internal

group-policy noaccess attributes

vpn-simultaneous-logins 0

!

tunnel-group EZVPN general-attributes               (EZVPN is your ezvpn tunnel-group name)

default-group-policy noaccess

You are basically forcing anyone using EZVPN group name into noaccess group-policy which will fail login because of "vpn-simultaneous-logins 0", but if the user is part of AD VPN group, it will through the user into VPNPolicy group policy instead (not shown in this config)

You can see what LDAP returns for group membership by doing "debug ldap 20"

0 Helpful
Customers Also Viewed These Support Documents