09-13-2013 08:04 AM - edited 02-21-2020 07:09 PM
Hi,
I have cisco ASA that remote clients will be connecting to for VPN (using cisco client). I want users authentication to be done through active directory but really not sure which method should i use? What is advantage of one over other?.
Thanks
09-13-2013 09:27 AM
Hi Zafar
I would say go for LDAP it give you more option than KERBROS apart from just authenticating users.
Using LDAP you can make sure only one specific group could connect using VPN.
YOu can assign group-policies on tha basis of users.
It gives you more option than kerbros.
I hope that answers your question.
Thanks
Jeet Kumar
09-14-2013 09:00 AM
Hi Jeet,
Thanks for your quick response. Can you please tell in little more detail how, when using ldap, i can make one specfic group to connect using vpn. Also you mentioned, "YOu can assign group-policies on tha basis of users.", will those group policies be applied at ASA or ldap server.
Thanks
09-22-2013 02:10 AM
Hi Zafar,
Frequently, administrators want to provide VPN users with different access permissions or WebVPN content. On the ASA this is regularly achieved through the assignment of different group policies to different users. When LDAP authentication is in use, this can be achieved automatically with an LDAP attribute map.
In order to use LDAP to assign a group policy to a user, you need to configure a map that maps an LDAP attribute.
In order to get better understanding and review the configuration example, I'd encourage you to visit the below listed link. In case you may have any query/ concern, post all your doubts here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Why we prefer ldap over kerberos. The only reason is with kerberos though you can encrypt the whole packet however it would not allow you to restrict user authorization. With LDAP, you will get this flexibility. In case you would like to configure or troubleshoot kerberos in your setup ever, don't forget to review this document:
https://supportforums.cisco.com/docs/DOC-2974
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide