Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2046
Views
25
Helpful
8
Replies

How I configure Two LDAP Authentication to use Anyconnect VPN (HA)

Go to solution
Alex Ribas
Level 1
Level 1

‎04-20-2021 01:03 PM

Hi All

I have just ONE Ldap authenticantion in connection do VPN AnyConnection

So Tried to find some option to use 2 Two LDAP (HA) just in case one fail I have secondary.

I didn't find option secondary

 

tunnel-group TUNNEL_VPN  general-attributes
address-pool (inside) POOL_VPN

address-pool POOL_VPN
authentication-server-group LDAP01
authentication-server-group (inside) LDAP01 LOCAL <--------- no have option to include LDAP02 just Local
authorization-server-group LDAP01
default-group-policy GRP_VPN
tunnel-group TUNNEL_VPN webvpn-attributes

 

any clue?

Thank you

 

 

4 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-20-2021 01:20 PM

Hi @Alex Ribas 

You are referencing the LDAP group called LDAP01 under the tunnel-group.

You need to define another LDAP host under the LDAP01 group.

View solution in original post

Go to solution
Sheraz.Salim
VIP
VIP

‎04-20-2021 01:31 PM

 

 


tunnel-group TESHGROUP type remote-access
tunnel-group TESHGROUP general-attributes
authentication-server-group AD1
secondary-authentication-server-group AD2

 
please do not forget to rate.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Alex Ribas

‎04-20-2021 01:45 PM

@Alex Ribas 

You've defined a second LDAP group called LDAP02, not created another host in the original group LDAP01. Example below demostrates how to add a second LDAP server to the same LDAP group. Authentications should failover to the second host in the group.

 

aaa-server LDAP01 protocol ldap
aaa-server LDAP01 (INSIDE) host 1.1.1.1
 ldap-base-dn DC=xxx,DC=co,DC=ao
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
 server-type microsoft
aaa-server LDAP01 (INSIDE) host 2.2.2.2
 ldap-base-dn DC=xxx,DC=co,DC=ao
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
 server-type microsoft

. HTH

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Alex Ribas

‎04-20-2021 01:47 PM - edited ‎04-20-2021 01:48 PM

@Alex Ribas 

Are you referring to the other post suggesting using secondary authentication server group?....then yes, it's basically double athentication, not LDAP server failover.

View solution in original post

8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎04-20-2021 01:20 PM

Hi @Alex Ribas 

You are referencing the LDAP group called LDAP01 under the tunnel-group.

You need to define another LDAP host under the LDAP01 group.

Go to solution
Alex Ribas
Level 1
Level 1
In response to Rob Ingram

‎04-20-2021 01:31 PM

I didn't find this option because the information is came from here.

 

aaa-server LDAP01 protocol ldap
aaa-server LDAP01 (inside) host 1.1.1.1
ldap-base-dn DC=xxx,DC=co,DC=ao
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=jupiter,DC=co,DC=ao
server-type microsoft
aaa-server LDAP02 protocol ldap
aaa-server LDAP02 (inside) host 2.2.2.2
ldap-base-dn DC=xxx,DC=co,DC=ao
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
server-type microsoft

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Alex Ribas

‎04-20-2021 01:45 PM

@Alex Ribas 

You've defined a second LDAP group called LDAP02, not created another host in the original group LDAP01. Example below demostrates how to add a second LDAP server to the same LDAP group. Authentications should failover to the second host in the group.

 

aaa-server LDAP01 protocol ldap
aaa-server LDAP01 (INSIDE) host 1.1.1.1
 ldap-base-dn DC=xxx,DC=co,DC=ao
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
 server-type microsoft
aaa-server LDAP01 (INSIDE) host 2.2.2.2
 ldap-base-dn DC=xxx,DC=co,DC=ao
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
 server-type microsoft

. HTH

Go to solution
Alex Ribas
Level 1
Level 1
In response to Rob Ingram

‎04-20-2021 01:52 PM

Yes, my bad

Thank a lot

Alex

 

0 Helpful

Go to solution
Alex Ribas
Level 1
Level 1
In response to Rob Ingram

‎04-20-2021 01:44 PM

Hi in the login the client requested twice user/password.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Alex Ribas

‎04-20-2021 01:47 PM - edited ‎04-20-2021 01:48 PM

@Alex Ribas 

Are you referring to the other post suggesting using secondary authentication server group?....then yes, it's basically double athentication, not LDAP server failover.

Go to solution
Sheraz.Salim
VIP
VIP

‎04-20-2021 01:31 PM

 

 


tunnel-group TESHGROUP type remote-access
tunnel-group TESHGROUP general-attributes
authentication-server-group AD1
secondary-authentication-server-group AD2

 
please do not forget to rate.

Go to solution
Alex Ribas
Level 1
Level 1
In response to Sheraz.Salim

‎04-20-2021 01:35 PM

Thank you

Perfect

 

0 Helpful
Customers Also Viewed These Support Documents