5510 AAA users sync to Active Directory

Unanswered Question
Sep 2nd, 2008

I have a list of local users set up for VPN access on my 5510. Wondering if there is any script for sync'ing up the users on my Active Directory server to my ASA 5510 rather than entering them manually on the 5510?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Premdeep Banga Tue, 09/02/2008 - 12:40

I recommend configuring AAA server group using LDAP as protocol, and authenticating users based on database on AD.

aaa-server ldap-authenticate-grp protocol ldap

aaa-server ldap-authenticate-grp host

ldap-base-dn

ldap-scope subtree

ldap-naming-attribute cn

ldap-login-dn

ldap-login-password

example,

aaa-server ldap-authenticate-grp protocol ldap

aaa-server ldap-authenticate-grp host 10.1.1.4

ldap-base-dn cn=Users,dc=frdevtestad,dc=local

ldap-scope subtree

ldap-naming-attribute cn

ldap-login-dn cn=Administrator,cn=Users, dc=frdevtestad,dc=local

ldap-login-password anypassword

Then do something like,

tunnel-group ipsec-tunnelgroup type ipsec-ra

tunnel-group ipsec-tunnelgroup general-attributes

authentication-server-group ldap-authenticate-grp

For more reference please refer to,

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/extsvr.html#wp1574952

I don't think there is some script to do that, nor will it be feasible.

Regards,

Prem

Please rate if this helps!

kerryjcox Wed, 09/03/2008 - 08:17

I think this may do it for us. I had actually been looking at purchasing an ACS server from Cisco in order to facilitate this transaction, but I will test your scripts right now on my test 5505 before deploying to the local 5510.

Thanks much.

kerryjcox Wed, 09/03/2008 - 09:43

I was unable to verify whether this works on not as I was attempting the configure on a test 5505. It wants to place the AD server on the inside network, which cannot be done at the present time.

I am placing a 5510 inline next week and will attempt the synchronization of AD accounts to the 5510 then.

Thanks.

Hi

please i would like to ask a question on this topic (asa and Microsoft Active directory sync)

i am still confusse about this topic what is the purpsoe for doing this sync between the ASA and Microsoft Active directory

is it just only for vpn users

or can it help in internet filtring with (server like ISA Server) i am still very confused please hope some one reply me

thanks alot

Jennifer Halim Tue, 10/30/2012 - 04:34

AD authentication can be used for VPN users.

It can also be used:

- If you have CSC module for web filtering per user/group based.

- For Identity firewall feature (configuring access-list with AD users as one of the field).

- If you are running the latest version of ASA (version 9.x) which is just out today, you can redirect the traffic to ScanSafe web security cloud with AD authentication as well.

Hope that answers your question.

Thank you very much appreciating your answer

your answer made me wanna ask you another question

i want to sync between the ASA and the microsoft AD to do the following

redirecting  traffic to microsoft Isa Server also the asa is configed as a gateway

i read about the wccp protocol but i found that isa Server is not supporting this protocol there is another server like squid and websense ETC

MY Goal is to filter all the web traffic and wireless

so what is the best senario to do this task with DC & Isa

note

ASA IOS is 7.2

i don't have CSC Module

also i hope there is another soultion without the ISA

thanks alot

Jennifer Halim Wed, 10/31/2012 - 04:26

Unfortunately you can't transparently redirect to ISA server if it doesn't support WCCP as that will be the only solution to transparently redirect to ISA server.

You would need to configure your hosts to use explicit proxy to use the ISA proxy server.

i understand from you this mean that also Sync between the microsoft AD and the Asa is not the solution to accomplishe the web filtreing cause i only want to do this sync for this reason

so there is no need to go on the SYNC configuration between the ASA and AD is that right

ALSO is there is any free server that can support WCCP INSTEAD OF  ISA SERVER (content filtering)

Actions

This Discussion