Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1741
Views
15
Helpful
9
Replies

integrate VPN with AD

Go to solution
mautez_mah
Level 1
Level 1

‎05-09-2022 12:55 AM

Hi , 
I am working in FW ASA , 
SSL-VPN integrated with AD ,and all users created in AD within specific group
how can I add new group to AD and match it in ASA 
how can ASA know that group in ASA should got users from specific Group in AD 
ju

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP
In response to mautez_mah

‎05-10-2022 03:09 AM - edited ‎05-10-2022 03:11 AM

AD and ISE are completely different things. What I asked is if you are using ISE or searching the AD with LDAP directling from ASA

 then you need to follow this  instruction:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html 

Then, I said that instead searching for group if dont make more sense add one group for VPN users and then look at this group only but if what work for you is search for a group on AD using LDAP from ASA.

 

"On the ASA, this is regularly achieved through the assignment of different group policies to different users. When LDAP authentication is in use, this can be achieved automatically with an LDAP attribute map. In order to use LDAP to assign a group policy to a user, you must map an LDAP attribute, such as the AD attribute memberOf to the Group-Policy attribute that is understood by the ASA. Once the attribute mapping is established, you must map the attribute value configured on the LDAP server to the name of a group policy on the ASA.

Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy.""

View solution in original post

9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎05-09-2022 01:07 AM

@mautez_mah

If using LDAP, utilise an LDAP attribute map to map AD group.

https://integratingit.wordpress.com/2020/04/03/asa-remote-access-vpn-using-ldap/

 

Go to solution
mautez_mah
Level 1
Level 1

‎05-09-2022 01:16 AM

@Rob Ingram 
many thanks , can I know how to do it thru ASDM please  

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎05-09-2022 01:25 AM

Hi

  How are using the AD on this case? Are you using LDAP protocol on ASA or do you use ISE and then ISE integrates with AD? 

 Why does your vpn users can not  just be on the vpn user group?

 

0 Helpful

Go to solution
mautez_mah
Level 1
Level 1

‎05-10-2022 02:12 AM

@Flavio Miranda 

I am using AD not ISE , I just need to know how to match group in ASA with group in AD 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to mautez_mah

‎05-10-2022 03:09 AM - edited ‎05-10-2022 03:11 AM

AD and ISE are completely different things. What I asked is if you are using ISE or searching the AD with LDAP directling from ASA

 then you need to follow this  instruction:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html 

Then, I said that instead searching for group if dont make more sense add one group for VPN users and then look at this group only but if what work for you is search for a group on AD using LDAP from ASA.

 

"On the ASA, this is regularly achieved through the assignment of different group policies to different users. When LDAP authentication is in use, this can be achieved automatically with an LDAP attribute map. In order to use LDAP to assign a group policy to a user, you must map an LDAP attribute, such as the AD attribute memberOf to the Group-Policy attribute that is understood by the ASA. Once the attribute mapping is established, you must map the attribute value configured on the LDAP server to the name of a group policy on the ASA.

Note: The memberOf attribute corresponds to the group that the user is a a part of in the Active Directory. It is possible for a user to be a member of more than one group in the Active Directory. This causes multiple memberOf attributes to be sent by the server, but the ASA can only match one attribute to one group policy.""

Go to solution
mautez_mah
Level 1
Level 1

‎05-10-2022 02:14 AM

@Rob Ingram 
I have attached screen-shots , I can't see configuration for LDAP or Access dynamic ,
even we are using AD for all VPN users , is this because FW is context 

 

Preview file
36 KB
Preview file
82 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mautez_mah

‎05-10-2022 02:49 AM

@mautez_mah the screenshot is of the LDAP attribute map, which won't be configured.

Please provide your configuration for review, so we can determine what you have configured.

0 Helpful

Go to solution
mautez_mah
Level 1
Level 1

‎05-11-2022 02:58 AM

@Rob Ingram 
Thanks , 
I did a group policy and Tunnel Group in ASA , could you please tell me what conf your asked me to shared 
in AD I configured NPS for new group 
Note : there are groups have already working fine and I tried to match all features either in AD or in ASA but still showing Login falied , 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card