03-24-2016 06:26 AM - edited 02-21-2020 08:44 PM
hello folks,
I would like to configure my vpn to recognize and allow to connect to the VPN only if the machine is member of domain (AD).
It is possible?
How can I do it?
Obs: My VPN have a DAP configured to recognize member of group in the AD (users)
Thanks
Marcio
Solved! Go to Solution.
03-24-2016 09:58 AM
Hi Marcio,
I see, ok in that case what you would want is to deploy HostScan so it can scan the endpoint connecting to the ASA. this scan report will be sent to the ASA and you can create DAP policies against certain attributes that will allow the connection. Once you have applied the DAPs you want to permit then you need to set the default DAP to terminate all connections. make sure you be very specific with the permit DAPs and that your client comply with what you are matching otherwise you may have unauthorized clients connecting or users that are unable to connect. the endpoints that don't meet the criteria will get the default and terminate the connection.
DAP and HostScan being so versatile it is hard to find documentation on that or specific configuration examples. I think the requirement is to run 8.4 or higher though. We can help you here at TAC with the configuration if you need assistance.
Hope this helps.
08-04-2016 05:43 AM
Hello Amdhage!
I solve this problem with DAP as you mantion, this work fine.
I don´t have MAC in my client, for this reason, I din´t have to worry about.
Thanks for your support.
03-24-2016 07:45 AM
Hi Marco,
I'm unsure if when you say member of an AD domain you mean member of a specific security group in AD. If this is the case then yes this is possible, this can be done with LDAP attribute mapping on the ASA, this can also be done with Radius mapping however this needs to be done on the server not the ASA when using Radius. You can also do something similar with certificate mapping. DAP can also be used together with it and continue to assign the attributes that you are assigning depending on what you are matching on the DAP.
Here are a few links for the mapping methods I mentioned before:
ASA Use of LDAP Attribute Maps Configuration Example:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
PIX/ASA 8.0: Use LDAP Authentication to Assign a Group Policy at Loginhttp://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html
ASA AnyConnect Double Authentication with Certificate Validation, Mapping, and Pre-Fill Configuration Guide http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html
Configure ACS to Assign a Group Policy at Login using RADIUS http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/98608-radius-assign-group-policy.html
Hope this helps.
03-24-2016 08:20 AM
Hello William,
Thanks for your support
The DAP that is configured is to use LDAP and the people only can authenticate if they are member of a group, this works very well.
Now my customer want provide VPN only if the computer is registered on the domain controller, in other word, if the person want to use VPN in theys personal computer, will be not possible, then I need to make sure tht, when this person try to connect to the VPN is chek if they computer is registered on the AD.
Thanks
03-24-2016 09:58 AM
Hi Marcio,
I see, ok in that case what you would want is to deploy HostScan so it can scan the endpoint connecting to the ASA. this scan report will be sent to the ASA and you can create DAP policies against certain attributes that will allow the connection. Once you have applied the DAPs you want to permit then you need to set the default DAP to terminate all connections. make sure you be very specific with the permit DAPs and that your client comply with what you are matching otherwise you may have unauthorized clients connecting or users that are unable to connect. the endpoints that don't meet the criteria will get the default and terminate the connection.
DAP and HostScan being so versatile it is hard to find documentation on that or specific configuration examples. I think the requirement is to run 8.4 or higher though. We can help you here at TAC with the configuration if you need assistance.
Hope this helps.
03-24-2016 10:23 AM
Thanks William,
Open a TAC case I think is the best option.
08-04-2016 02:21 AM
08-04-2016 05:43 AM
Hello Amdhage!
I solve this problem with DAP as you mantion, this work fine.
I don´t have MAC in my client, for this reason, I din´t have to worry about.
Thanks for your support.
05-04-2020 08:11 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide