cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
111
Views
3
Helpful
1
Replies
Stacey Hummer
Beginner

VPN authentication recommendations

So, now that Cisco has assisted me in getting the vpn working on my ASA 5525-X I need to utilize active director for authentication/grouping of clients for several different profiles in anyconnect.

My questions is what is the easiest and most efficient way of setting this up. I do have a 2012 R2 server running NAP that is used to authenticate AD users for access to the switches. But should I be utilizing this for ASA as well or do I use AD directly to the ASA?

A reminder to people that haven't seen my posts, I very new to ASA and need to get this up and running quickly.... Any help/suggestions would be greatly appreciated.

 

Thanks

Stacey

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Stacey,

 

You could use the direct Windows Server to the ASA, it will use the LDAP protocol. You will need to set up the ASA like this:


aaa-server LDAP-SRV protocol ldap
aaa-server LDAP-SRV (inside) host XXXXXXXXX  --> IP address of the server
   ldap-base-dn DC=vpn,DC=crtac,DC=com  --> This is where the users are stored
   ldap-login-dn CN=ASA-LDAP-user,CN=Users,DC=vpn,DC=crtac,DC=com --> The entire AD tree.
   ldap-login-password **********  --> Password of the administrator
   ldap-naming-attribute sAMAccountName 
   ldap-scope subtree
   server-type microsoft

 

Now you will need to get the login DN:and the base dn. Now on the AD, you should create several groups of users and divide the users for different levels of authorization such as: Vendors, employees..

You can test the authentication using this command:

test aaa-server authentication LDAP_SRV host XXXXXX username: XXXXX password: XXXX

 

and then see if it fails, so you can troubleshoot the issue

Then you will be able to set up LDAP attribute mapping to MAP a group of users on the AD server to a group policy on the ASA.

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

 

Let me know how it works out!

 

Please don't forget to rate and mark as correct the helpful Post!

 

David Castro,

 

Regards,

 

View solution in original post

1 REPLY 1

Hi Stacey,

 

You could use the direct Windows Server to the ASA, it will use the LDAP protocol. You will need to set up the ASA like this:


aaa-server LDAP-SRV protocol ldap
aaa-server LDAP-SRV (inside) host XXXXXXXXX  --> IP address of the server
   ldap-base-dn DC=vpn,DC=crtac,DC=com  --> This is where the users are stored
   ldap-login-dn CN=ASA-LDAP-user,CN=Users,DC=vpn,DC=crtac,DC=com --> The entire AD tree.
   ldap-login-password **********  --> Password of the administrator
   ldap-naming-attribute sAMAccountName 
   ldap-scope subtree
   server-type microsoft

 

Now you will need to get the login DN:and the base dn. Now on the AD, you should create several groups of users and divide the users for different levels of authorization such as: Vendors, employees..

You can test the authentication using this command:

test aaa-server authentication LDAP_SRV host XXXXXX username: XXXXX password: XXXX

 

and then see if it fails, so you can troubleshoot the issue

Then you will be able to set up LDAP attribute mapping to MAP a group of users on the AD server to a group policy on the ASA.

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

 

Let me know how it works out!

 

Please don't forget to rate and mark as correct the helpful Post!

 

David Castro,

 

Regards,

 

View solution in original post

Content for Community-Ad