Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
267
Views
3
Helpful
1
Replies

VPN authentication recommendations

Go to solution
Stacey Hummer
Level 1
Level 1

‎03-13-2015 09:15 AM

So, now that Cisco has assisted me in getting the vpn working on my ASA 5525-X I need to utilize active director for authentication/grouping of clients for several different profiles in anyconnect.

My questions is what is the easiest and most efficient way of setting this up. I do have a 2012 R2 server running NAP that is used to authenticate AD users for access to the switches. But should I be utilizing this for ASA as well or do I use AD directly to the ASA?

A reminder to people that haven't seen my posts, I very new to ASA and need to get this up and running quickly.... Any help/suggestions would be greatly appreciated.

 

Thanks

Stacey

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎03-13-2015 11:09 AM

Hi Stacey,

 

You could use the direct Windows Server to the ASA, it will use the LDAP protocol. You will need to set up the ASA like this:


aaa-server LDAP-SRV protocol ldap
aaa-server LDAP-SRV (inside) host XXXXXXXXX  --> IP address of the server
   ldap-base-dn DC=vpn,DC=crtac,DC=com  --> This is where the users are stored
   ldap-login-dn CN=ASA-LDAP-user,CN=Users,DC=vpn,DC=crtac,DC=com --> The entire AD tree.
   ldap-login-password **********  --> Password of the administrator
   ldap-naming-attribute sAMAccountName 
   ldap-scope subtree
   server-type microsoft

 

Now you will need to get the login DN:and the base dn. Now on the AD, you should create several groups of users and divide the users for different levels of authorization such as: Vendors, employees..

You can test the authentication using this command:

test aaa-server authentication LDAP_SRV host XXXXXX username: XXXXX password: XXXX

 

and then see if it fails, so you can troubleshoot the issue

Then you will be able to set up LDAP attribute mapping to MAP a group of users on the AD server to a group policy on the ASA.

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

 

Let me know how it works out!

 

Please don't forget to rate and mark as correct the helpful Post!

 

David Castro,

 

Regards,

 

View solution in original post

1 Reply 1

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎03-13-2015 11:09 AM

Hi Stacey,

 

You could use the direct Windows Server to the ASA, it will use the LDAP protocol. You will need to set up the ASA like this:


aaa-server LDAP-SRV protocol ldap
aaa-server LDAP-SRV (inside) host XXXXXXXXX  --> IP address of the server
   ldap-base-dn DC=vpn,DC=crtac,DC=com  --> This is where the users are stored
   ldap-login-dn CN=ASA-LDAP-user,CN=Users,DC=vpn,DC=crtac,DC=com --> The entire AD tree.
   ldap-login-password **********  --> Password of the administrator
   ldap-naming-attribute sAMAccountName 
   ldap-scope subtree
   server-type microsoft

 

Now you will need to get the login DN:and the base dn. Now on the AD, you should create several groups of users and divide the users for different levels of authorization such as: Vendors, employees..

You can test the authentication using this command:

test aaa-server authentication LDAP_SRV host XXXXXX username: XXXXX password: XXXX

 

and then see if it fails, so you can troubleshoot the issue

Then you will be able to set up LDAP attribute mapping to MAP a group of users on the AD server to a group policy on the ASA.

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

 

Let me know how it works out!

 

Please don't forget to rate and mark as correct the helpful Post!

 

David Castro,

 

Regards,

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents