Asa Active Directory Integration

Using your Active Directory for VPN authentication on ASA Using Active Directory as a LDAP server with ASA For a long time the only way to use Active Directory (AD) for VPN authentication. Using your Active Directory for VPN authentication on ASA Using Active Directory as a LDAP server with ASA For a long time the only way to use Active Directory (AD) for VPN authentication. Cisco ASA Part 2: Authentication with Active Directory This tutorial gives you the exact steps Configure Authentication with Window Active Directory This tut. This video covers the steps to configure following integration scenarios: - FMC and User Agent - FMC and ISE-PIC - ISE-PIC and Active Directory FMC-ISE certi.

This post describes the procedure to configure a Cisco ASA firewall with LDAP authentication for AnyConnect Remote Access VPN access. Refer to the previous posts for configuring AnyConnect Remote Access VPNs.

ASA AnyConnect IKEv2/IPSec VPN
ASA AnyConnect SSL-VPN
ASA Split Tunneling

Asa Active Directory Integration Tutorial

Active Directory Pre-requisites

The following pre-requisites for Active Directory are required.

An LDAP Service Account
The distinguished name of the Service Account
The distinguished name of the Active Directory Domain
The distinguished name of the 2 Active Directory Groups

The distinguished name can be located using the Active Directory Users and Computers MMC, navigate to the object and click the Attribute Editor tab.

Asa firepower active directory integration

We have created a service account called svc_ldap
A user called user1 is a member of the AD group called Customer1
A user called user2 is a member of the AD group called Customer2

ASA Configuration

Define 2 VPN Pools, each pool will be referenced in the different group-policies to demonstrate the configuration working correctly.

Define a group policy called NOACCESS, this will be applied to the tunnel group. If a user attempts to authenticate and is not a member of either of the AD groups specified in the attribute-map, they will be denied access.

Define 2 Group Policies, these group policies will be assigned dynamically to the users if they are a member of the correct AD group as defined in the attribute-map. Ensure that vpn-simultaneous-logins is manually set, else they will inherit the limit of “0” as defined by the NOACCESS group policy, which will deny access.

An LDAP attribute map is required if you wish to permit only authenticated users in certain AD group. In this example we have 2 AD groups (Customer1 and Customer2), these will map the user to a different Group Policy in order to assign different attributes such as a VPN Pool. AD groups not defined in the attribute-map will be denied access. The distinguish name of the groups can be found in the “Attribute Editor” tab under the AD group in “Active Directory Users & Computers”.

Cisco Asa 5505 Active Directory Integration

Asa active directory integration systems

Define the AAA Server using LDAP protocol, define the AD server IP address, base-dn, ldap scope, login dn, password and the attribute-map.

Ensure the Tunnel Group used by the AnyConnect VPN is referencing the NOACCESS default-group-policy and the LDAP authentication-server-group.

Enable WebVPN on the OUTSIDE interface.

Verification

Logging in as user1, the output confirms the user has been associated to the correct group-policy GP-1 and IP address of 192.168.14.10.

Logging in as a user2, the output confirms the user has been associated to the group-policy GP-2 and IP address of 192.168.15.10, which is from a different IP Pool.

Asa Active Directory Authentication Vpn

Turn on LDAP debugging using the command debug ldap 255 and log in as a user that has permissions to authenticate to the Remote Access VPN.

From the output below we can determine that the user was successfully authenticated and mapped to the correct group-policy, confirming the LDAP attribute-map is working correctly.