03-13-2015 09:15 AM
So, now that Cisco has assisted me in getting the vpn working on my ASA 5525-X I need to utilize active director for authentication/grouping of clients for several different profiles in anyconnect.
My questions is what is the easiest and most efficient way of setting this up. I do have a 2012 R2 server running NAP that is used to authenticate AD users for access to the switches. But should I be utilizing this for ASA as well or do I use AD directly to the ASA?
A reminder to people that haven't seen my posts, I very new to ASA and need to get this up and running quickly.... Any help/suggestions would be greatly appreciated.
Thanks
Stacey
Solved! Go to Solution.
03-13-2015 11:09 AM
Hi Stacey,
You could use the direct Windows Server to the ASA, it will use the LDAP protocol. You will need to set up the ASA like this:
aaa-server LDAP-SRV protocol ldap
aaa-server LDAP-SRV (inside) host XXXXXXXXX --> IP address of the server
ldap-base-dn DC=vpn,DC=crtac,DC=com --> This is where the users are stored
ldap-login-dn CN=ASA-LDAP-user,CN=Users,DC=vpn,DC=crtac,DC=com --> The entire AD tree.
ldap-login-password ********** --> Password of the administrator
ldap-naming-attribute sAMAccountName
ldap-scope subtree
server-type microsoft
Now you will need to get the login DN:and the base dn. Now on the AD, you should create several groups of users and divide the users for different levels of authorization such as: Vendors, employees..
You can test the authentication using this command:
test aaa-server authentication LDAP_SRV host XXXXXX username: XXXXX password: XXXX
and then see if it fails, so you can troubleshoot the issue
Then you will be able to set up LDAP attribute mapping to MAP a group of users on the AD server to a group policy on the ASA.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
Let me know how it works out!
Please don't forget to rate and mark as correct the helpful Post!
David Castro,
Regards,
03-13-2015 11:09 AM
Hi Stacey,
You could use the direct Windows Server to the ASA, it will use the LDAP protocol. You will need to set up the ASA like this:
aaa-server LDAP-SRV protocol ldap
aaa-server LDAP-SRV (inside) host XXXXXXXXX --> IP address of the server
ldap-base-dn DC=vpn,DC=crtac,DC=com --> This is where the users are stored
ldap-login-dn CN=ASA-LDAP-user,CN=Users,DC=vpn,DC=crtac,DC=com --> The entire AD tree.
ldap-login-password ********** --> Password of the administrator
ldap-naming-attribute sAMAccountName
ldap-scope subtree
server-type microsoft
Now you will need to get the login DN:and the base dn. Now on the AD, you should create several groups of users and divide the users for different levels of authorization such as: Vendors, employees..
You can test the authentication using this command:
test aaa-server authentication LDAP_SRV host XXXXXX username: XXXXX password: XXXX
and then see if it fails, so you can troubleshoot the issue
Then you will be able to set up LDAP attribute mapping to MAP a group of users on the AD server to a group policy on the ASA.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
Let me know how it works out!
Please don't forget to rate and mark as correct the helpful Post!
David Castro,
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: