cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
993
Views
5
Helpful
7
Replies

Authenticate users with Active Directory using AnyConnect

larry68gmc
Level 1
Level 1

We just installed AnyConnect and want to use Active Directory to authenticate the users logging on to the network. I can create a user on the ASA and it downloads the software correctly. I can't seem to find the procedures to make it use Active Directory. Thanks in advance...

7 Replies 7

Hi Andrew,

I have a follow-up question regarding IPSec remote access with an ASA ver 8.04 box:

After the user is authenticated against AD, I then want them to be authenticated against an RSA PIN and Token.

Is the only way to do this with a RADIUS server in between the ASA and the AD? It doesn't appear the ASA can accomplish this sequence.

Thank you in advance.

Paul

Paul,

I know that the ASA/PIX cannot authenticate your particular sequence using the Cisco VPN Client. I am not sure what all the auth methods are avail for SSL, it may be possible....but unlikely.

I have not had cause to try and provide AD credentials, and SecureID in an auth session to gain access. Perhaps some other netpro's have.

HTH>

Hi Andrew,

Thank you for the confirmation of what Cisco and RSA have told me.

The funny thing is that Juniper can do this.

I hope someone from Cisco is reading this because our customer interprets PCI compliance to mean that VPN users must authenticate against AD and use the RSA Pin and Token.

They back this judgement by saying that if they just use the classic two-factor (something you know and something you have) then if the end user loses the Token or the battery dies on the the Token, the person can receive a temporary password to access resources. This is one-factor and not PCI. To make a long story short, they believe they must use both AD and RSA in order to remain in compliance.

Thanks again. A "5" for your efforts from NYC.

Paul

Hi Marwan,

Thanks for the reply. Please correct me if I am wrong but this link you offered had to do with certificates.

To reiterate my problem, I needed to know if ASA could sequentially query Active Diretory for authentication and authorization, then query RSA Authentication Manager. It appears from what both Cisco and RSA have told me that this is not possible with the ASA at this time.

I dont know about the RSA part, but I do know that a cisco asa can check against AD, and map a group policy to a given ldap/AD group. There are some limitations of this method.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: