Cisco ASA SSL VPN Authentication, Authorization Through LDAP

By mrgphillips ·

We are trying to manage our Cisco ASA 5510 SSL & AnyConnect VPN clients through Active Directory.

Currently the VPN tunnel is up and all users are able to connect being authenticated by AD,

My goal is to only allow users that belong to a specific group in Active Directory to connect.

Once that is accomplished I want user to get a group policy from the Cisco ASA based on which group they belong to in AD

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

There is a way to somehow do it, as far as I've found

by NuttyBunny In reply to Cisco ASA SSL VPN Authent ...

Well, I already found a solution for this, but it's not the ideal. It works by placing your users in certain place on your domain tree

For example, if you put your users in OU=vpnusers,DC=domain,DC=com you could do something like:

aaa-server ldap_author protocol ldap
aaa-server ldap_author (inside) host x.x.x.x
server-port <port>
ldap-base-dn OU=vpnusers,DC=domain,DC=com
ldap-scope onelevel
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=admin,DC=domain,DC=com
server-type auto-detect

If you do a test with a user that is on that branch of the tree, you'll get
INFO: Authorization Successful

And if the user is elsewhere, you'll get
ERROR: Authorization Rejected: User was not found

Maybe it's not the most elegant solution but that's what I've found so far as the documentation on this is scarce

Related Discussions

Related Forums