How to set up VPN with ActiveDirectory-authenticatio?

cisco · ‎01-18-2011

Hi,

I am running a ASA 5520 with remote access VPN configured with RADIUS-authentication (RSA SecureID). Now I want to create a VPN-profile that authenticates directly against my internal Kerberos/ActiveDirectory-controller to check that both the username is valid AND that the client has a valid computeraccount in AD. A couple of questions:

What is the difference between "Cisco Anyconnect" and "Cisco Anyconnect Secure Mobility Client"?
Is it possible to check against both username and computeraccount?
Is there a step-by-step-guide on how to do this, which mechanisms do I have to configure on the ASA?
Do I need special SSL-licenses for this? (today I have license for 50 SSL VPN peers)

I know that these are general quesitons but it would be nice if someone could give some hints on how to do this.

Regards,

Thor-Egil

Marcin Latosiewicz · ‎01-18-2011

Thor-Egil,

Since Anyconnect is now available on multiple platforms there was a bit of name changing ;-)

Regarding authentication and authorization - typically to to active directory ASA is using LDAP or kerberos (the former used more often):

Summary of support:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_aaa.html#wp1059666

You may find two examples useful:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

and

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

I have not met authentication via machine account - not to say that it does not exist.

More often we use user autehntication with LDAP + machine certificates.

HTH,

Marcin