cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2013
Views
25
Helpful
8
Replies

How I configure Two LDAP Authentication to use Anyconnect VPN (HA)

Alex Ribas
Level 1
Level 1

Hi All

I have just ONE Ldap authenticantion in connection do VPN AnyConnection

So Tried to find some option to use 2 Two LDAP (HA) just in case one fail I have secondary.

I didn't find option secondary

 

tunnel-group TUNNEL_VPN  general-attributes
address-pool (inside) POOL_VPN

address-pool POOL_VPN
authentication-server-group LDAP01
authentication-server-group (inside) LDAP01 LOCAL <--------- no have option to include LDAP02 just Local
authorization-server-group LDAP01
default-group-policy GRP_VPN
tunnel-group TUNNEL_VPN webvpn-attributes

 

any clue?

Thank you

 

 

4 Accepted Solutions

Accepted Solutions

Hi @Alex Ribas 

You are referencing the LDAP group called LDAP01 under the tunnel-group.

You need to define another LDAP host under the LDAP01 group.

View solution in original post

 

 


tunnel-group TESHGROUP type remote-access
tunnel-group TESHGROUP general-attributes
authentication-server-group AD1
secondary-authentication-server-group AD2

 
please do not forget to rate.

View solution in original post

@Alex Ribas 

You've defined a second LDAP group called LDAP02, not created another host in the original group LDAP01. Example below demostrates how to add a second LDAP server to the same LDAP group. Authentications should failover to the second host in the group.

 

aaa-server LDAP01 protocol ldap
aaa-server LDAP01 (INSIDE) host 1.1.1.1
 ldap-base-dn DC=xxx,DC=co,DC=ao
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
 server-type microsoft
aaa-server LDAP01 (INSIDE) host 2.2.2.2
 ldap-base-dn DC=xxx,DC=co,DC=ao
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
 server-type microsoft

. HTH

View solution in original post

@Alex Ribas 

Are you referring to the other post suggesting using secondary authentication server group?....then yes, it's basically double athentication, not LDAP server failover.

View solution in original post

8 Replies 8

Hi @Alex Ribas 

You are referencing the LDAP group called LDAP01 under the tunnel-group.

You need to define another LDAP host under the LDAP01 group.

I didn't find this option because the information is came from here.

 

aaa-server LDAP01 protocol ldap
aaa-server LDAP01 (inside) host 1.1.1.1
ldap-base-dn DC=xxx,DC=co,DC=ao
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=jupiter,DC=co,DC=ao
server-type microsoft
aaa-server LDAP02 protocol ldap
aaa-server LDAP02 (inside) host 2.2.2.2
ldap-base-dn DC=xxx,DC=co,DC=ao
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
server-type microsoft

 

@Alex Ribas 

You've defined a second LDAP group called LDAP02, not created another host in the original group LDAP01. Example below demostrates how to add a second LDAP server to the same LDAP group. Authentications should failover to the second host in the group.

 

aaa-server LDAP01 protocol ldap
aaa-server LDAP01 (INSIDE) host 1.1.1.1
 ldap-base-dn DC=xxx,DC=co,DC=ao
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
 server-type microsoft
aaa-server LDAP01 (INSIDE) host 2.2.2.2
 ldap-base-dn DC=xxx,DC=co,DC=ao
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Services Firewall,CN=Managed Service Accounts,DC=xxx,DC=co,DC=ao
 server-type microsoft

. HTH

Yes, my bad

Thank a lot

Alex

 

Hi in the login the client requested twice user/password.

@Alex Ribas 

Are you referring to the other post suggesting using secondary authentication server group?....then yes, it's basically double athentication, not LDAP server failover.

 

 


tunnel-group TESHGROUP type remote-access
tunnel-group TESHGROUP general-attributes
authentication-server-group AD1
secondary-authentication-server-group AD2

 
please do not forget to rate.

Thank you

Perfect

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: