Authenticate users with Active Directory using AnyConnect

Unanswered Question
Aug 29th, 2008

We just installed AnyConnect and want to use Active Directory to authenticate the users logging on to the network. I can create a user on the ASA and it downloads the software correctly. I can't seem to find the procedures to make it use Active Directory. Thanks in advance...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pmccubbin Fri, 08/29/2008 - 10:25

Hi Andrew,

I have a follow-up question regarding IPSec remote access with an ASA ver 8.04 box:

After the user is authenticated against AD, I then want them to be authenticated against an RSA PIN and Token.

Is the only way to do this with a RADIUS server in between the ASA and the AD? It doesn't appear the ASA can accomplish this sequence.

Thank you in advance.

Paul

Paul,

I know that the ASA/PIX cannot authenticate your particular sequence using the Cisco VPN Client. I am not sure what all the auth methods are avail for SSL, it may be possible....but unlikely.

I have not had cause to try and provide AD credentials, and SecureID in an auth session to gain access. Perhaps some other netpro's have.

HTH>

pmccubbin Sat, 08/30/2008 - 10:17

Hi Andrew,

Thank you for the confirmation of what Cisco and RSA have told me.

The funny thing is that Juniper can do this.

I hope someone from Cisco is reading this because our customer interprets PCI compliance to mean that VPN users must authenticate against AD and use the RSA Pin and Token.

They back this judgement by saying that if they just use the classic two-factor (something you know and something you have) then if the end user loses the Token or the battery dies on the the Token, the person can receive a temporary password to access resources. This is one-factor and not PCI. To make a long story short, they believe they must use both AD and RSA in order to remain in compliance.

Thanks again. A "5" for your efforts from NYC.

Paul

pmccubbin Mon, 09/01/2008 - 05:43

Hi Marwan,

Thanks for the reply. Please correct me if I am wrong but this link you offered had to do with certificates.

To reiterate my problem, I needed to know if ASA could sequentially query Active Diretory for authentication and authorization, then query RSA Authentication Manager. It appears from what both Cisco and RSA have told me that this is not possible with the ASA at this time.

ryancolson Tue, 09/09/2008 - 05:16

I dont know about the RSA part, but I do know that a cisco asa can check against AD, and map a group policy to a given ldap/AD group. There are some limitations of this method.

Actions

This Discussion