WebVPN (clientless) + Windows Auth

satishcp · ‎03-18-2008

Hi All,

I've configured SSLVPN on Cisco ASA 5540 to authenticate using Windows AD by providing DomainController information. Though the authentication is working, I'm bit concerned about the security as this method of authentication mechanism would expose remote access to every other account on Windows AD (including service accounts).

Is there a mecahnism / way to restrict the authenticate to specific group of users while using Windows AD for authentication on Cisco ASA for SSLVpn?

Please note: There is no ACS server available on the network.

Appreciate quick help on this,

mainesy · ‎03-18-2008

You can setup Dynamic Access Policies and configure it for a particular AD Security Group. You would need to map the LDAP memberOf field to the AD Security Group name.

Josh

satishcp · ‎03-21-2008

Hi Josh,

Thanks for this excellent suggestion. Though would like to know if I need to enable LDAP authentication for WebUsers OR still live with Windows Auth using the following commands..

aaa-server ADdomain protocol nt

aaa-server ADdomain host 1.1.1.1

nt-auth-domain.controller dc1

Thanks

PeterBodzay · ‎03-21-2008

Hi,

another way might be to configure a MS IAS server on one of your Windows Servers.

Creating Remote Access policys and using the IAS as a Radius server might have a advantage that You can use it for more then just Web VPN, like perhaps 802.1x on WLANs etc.

Another would be that it might be easier to create multiple and different access policys for different AD-security groups.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

Hope this helps in some way