Solved: Local authentication with SAML

AlexFer · ‎03-01-2020

Hi Experts,

my RA VPN tunnel-group specifies LDAP authentication (towards AD) and LOCAL (ie. "authentication-server-group ActiveDirectory LOCAL") - latter, so that I can VPN-in if remote authentication ever fails - effectively, a backdoor available only in extreme case.

But, for SAML authentication (cudos:Anyconnect VPN with SAML Authentication), AAA Configuration Guide states “This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together”, whilst "authorization-server-group" is functional, "authentication-server-group"is NOT.

My only option seems to be a new tunnel-group specifying only LOCAL authentication, but, this will open up a permanent backdoor. Is there a better way?

R's, Alex

Cristian Matei · ‎03-05-2020

Hi,

Yes, so use your main connection-profile (tunnel-group) with SAML, and a backup tunnel-group with AD/LDAP as backup in case SAML fails (instead of local). You can still make use of the Identity firewall feature.

Regards,

Cristian Matei.

View solution in original post

Cristian Matei · ‎03-05-2020

Hi,

Indeed, once you specify "saml" as authentication method, there is no fallback mechanism to be configured (not allowed). What you can do is:

- migrate the existing configuration over to SAML authentication

- configure a new tunnel-group where you use AD/LDAP (why would you use local users on the ASA, instead of the existing AD integration?)

Regards,

Cristian Matei.

AlexFer · ‎03-05-2020

Hi Cristian ,

thanks for reply.

> why would you use local users on the ASA, instead of the existing AD integration?

As I wrote, it's backdoor open when AD fails.

For posterity, ... One may get impression that with SAML authentication, tunnel-group's authentication-server-group is redundant but it isn't - it affects domain of IP mapping pushed to Context Directory Agent (CDA) - proof:

ASA:

asa-5510# show running-config user-identity
user-identity domain AD aaa-server ActiveDirectory
user-identity default-domain AD
user-identity ad-agent aaa-server ContextDirAgent

SYSLOG Server:

Mar 5 14:51:31 asa-5510 %ASA-7-746012: user-identity: Add IP-User mapping 10.60.50.230 - LOCAL\<redacted>@<redacted> Succeeded - VPN user

ASA:

asa-5510# configure terminal
asa-5510(config)# tunnel-group Anyconnect-SAML-Staff general-attributes
asa-5510(config-tunnel-general)# authentication-server-group ActiveDirectory
asa-5510(config-tunnel-general)# end

SYSLOG Server:

Mar 5 14:57:49 asa-5510 %ASA-7-746012: user-identity: Add IP-User mapping 10.60.50.230 - AD\<redacted>@<redacted> Succeeded - VPN user

Cristian Matei · ‎03-05-2020

Hi,

Yes, so use your main connection-profile (tunnel-group) with SAML, and a backup tunnel-group with AD/LDAP as backup in case SAML fails (instead of local). You can still make use of the Identity firewall feature.

Regards,

Cristian Matei.

AlexFer · ‎03-05-2020

Hi Cristia,

> backup tunnel-group with AD/LDAP as backup in case SAML fails (instead of local)

thanks... but, the AD/LDAP for VPN authentication is being retired (because Azure Active Directory is used for MFA) and replaced by SAML. (VPN authorization remains against on-premise AD.)

However, I do see your point.. By limiting ldap-base-dn, I can limit access to a specified set of administrators and get an exemption for VPN authentication against on-premise AD.

R's, Alex

Cristian Matei · ‎03-06-2020

Exactly.