Question

  • Creator
    Topic
  • #2151685

    Cisco ASA SSL VPN Authentication, Authorization Through LDAP

    Locked

    by mrgphillips ·

    Hi,

    We are trying to manage our Cisco ASA 5510 SSL & AnyConnect VPN clients through Active Directory.

    Currently the VPN tunnel is up and all users are able to connect being authenticated by AD,

    My goal is to only allow users that belong to a specific group in Active Directory to connect.

    Once that is accomplished I want user to get a group policy from the Cisco ASA based on which group they belong to in AD

All Answers

  • Author
    Replies
    • #2993611

      Clarifications

      by mrgphillips ·

      In reply to Cisco ASA SSL VPN Authentication, Authorization Through LDAP

      Clarifications

    • #2890559

      There is a way to somehow do it, as far as I’ve found

      by nuttybunny ·

      In reply to Cisco ASA SSL VPN Authentication, Authorization Through LDAP

      Well, I already found a solution for this, but it’s not the ideal. It works by placing your users in certain place on your domain tree

      For example, if you put your users in OU=vpnusers,DC=domain,DC=com you could do something like:

      aaa-server ldap_author protocol ldap
      aaa-server ldap_author (inside) host x.x.x.x
      server-port ldap-base-dn OU=vpnusers,DC=domain,DC=com
      ldap-scope onelevel
      ldap-naming-attribute sAMAccountName
      ldap-login-password *
      ldap-login-dn CN=admin,DC=domain,DC=com
      server-type auto-detect

      If you do a test with a user that is on that branch of the tree, you’ll get
      INFO: Authorization Successful

      And if the user is elsewhere, you’ll get
      ERROR: Authorization Rejected: User was not found

      Maybe it’s not the most elegant solution but that’s what I’ve found so far as the documentation on this is scarce 🙁

Viewing 1 reply thread