09-02-2008 12:32 PM
I have a list of local users set up for VPN access on my 5510. Wondering if there is any script for sync'ing up the users on my Active Directory server to my ASA 5510 rather than entering them manually on the 5510?
Thanks.
09-02-2008 12:40 PM
I recommend configuring AAA server group using LDAP as protocol, and authenticating users based on database on AD.
aaa-server ldap-authenticate-grp protocol ldap
aaa-server ldap-authenticate-grp host
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-dn
ldap-login-password
example,
aaa-server ldap-authenticate-grp protocol ldap
aaa-server ldap-authenticate-grp host 10.1.1.4
ldap-base-dn cn=Users,dc=frdevtestad,dc=local
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-dn cn=Administrator,cn=Users, dc=frdevtestad,dc=local
ldap-login-password anypassword
Then do something like,
tunnel-group ipsec-tunnelgroup type ipsec-ra
tunnel-group ipsec-tunnelgroup general-attributes
authentication-server-group ldap-authenticate-grp
For more reference please refer to,
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/extsvr.html#wp1574952
I don't think there is some script to do that, nor will it be feasible.
Regards,
Prem
Please rate if this helps!
09-03-2008 08:17 AM
I think this may do it for us. I had actually been looking at purchasing an ACS server from Cisco in order to facilitate this transaction, but I will test your scripts right now on my test 5505 before deploying to the local 5510.
Thanks much.
09-03-2008 09:43 AM
I was unable to verify whether this works on not as I was attempting the configure on a test 5505. It wants to place the AD server on the inside network, which cannot be done at the present time.
I am placing a 5510 inline next week and will attempt the synchronization of AD accounts to the 5510 then.
Thanks.
10-30-2012 04:27 AM
Hi
please i would like to ask a question on this topic (asa and Microsoft Active directory sync)
i am still confusse about this topic what is the purpsoe for doing this sync between the ASA and Microsoft Active directory
is it just only for vpn users
or can it help in internet filtring with (server like ISA Server) i am still very confused please hope some one reply me
thanks alot
10-30-2012 04:34 AM
AD authentication can be used for VPN users.
It can also be used:
- If you have CSC module for web filtering per user/group based.
- For Identity firewall feature (configuring access-list with AD users as one of the field).
- If you are running the latest version of ASA (version 9.x) which is just out today, you can redirect the traffic to ScanSafe web security cloud with AD authentication as well.
Hope that answers your question.
10-31-2012 03:58 AM
Thank you very much appreciating your answer
your answer made me wanna ask you another question
i want to sync between the ASA and the microsoft AD to do the following
redirecting traffic to microsoft Isa Server also the asa is configed as a gateway
i read about the wccp protocol but i found that isa Server is not supporting this protocol there is another server like squid and websense ETC
MY Goal is to filter all the web traffic and wireless
so what is the best senario to do this task with DC & Isa
note
ASA IOS is 7.2
i don't have CSC Module
also i hope there is another soultion without the ISA
thanks alot
10-31-2012 04:26 AM
Unfortunately you can't transparently redirect to ISA server if it doesn't support WCCP as that will be the only solution to transparently redirect to ISA server.
You would need to configure your hosts to use explicit proxy to use the ISA proxy server.
11-01-2012 01:20 AM
i understand from you this mean that also Sync between the microsoft AD and the Asa is not the solution to accomplishe the web filtreing cause i only want to do this sync for this reason
so there is no need to go on the SYNC configuration between the ASA and AD is that right
ALSO is there is any free server that can support WCCP INSTEAD OF ISA SERVER (content filtering)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: