Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22669
Views
0
Helpful
2
Replies

Authenticate Anyconnect VPN against Active Directory

Go to solution
ciscocharger
Level 1
Level 1

‎07-12-2010 09:13 AM - edited ‎02-21-2020 04:43 PM

Hi,

I have a Cisco ASA5520 and have configured it to authenticate against AD using a win2008 box running Network policy server.

In ASDM I can test the auth and it works.

In ASDM->Device Management->AAA Access I can set which auth group I use to auth a user for enable, Telnet, SSH, ASDM/HTTP. When I set SSH to auth using the AD auth group that I created, it works fine....so I know the authentication is working.

Trouble is, it doesn't seem to work for a user authenticating with annyconnect VPN. I don't seem to be able to find how I tell the ASA to use my AD auth group and not the LOCAL auth group to authenticate VPN users.

Any help is greatly appreciated.

Thankx

M

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee

‎07-13-2010 05:16 AM

Try this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

But you're probably landing on the defaultwebvpngroup, so change the authentication to be your ldap/ntlm aaa server group there and see if the behavior changes.


By default, SSL connectivity uses the DefaultWEBVPNGroup tunnel-group/connection profile.  If you don't want to use that profile/tunnel-group, you have to use either aliases or group-urls to get it to land on a different one:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

--Jason

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee

‎07-13-2010 05:16 AM

Try this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml

But you're probably landing on the defaultwebvpngroup, so change the authentication to be your ldap/ntlm aaa server group there and see if the behavior changes.


By default, SSL connectivity uses the DefaultWEBVPNGroup tunnel-group/connection profile.  If you don't want to use that profile/tunnel-group, you have to use either aliases or group-urls to get it to land on a different one:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

--Jason

0 Helpful

Go to solution
ciscocharger
Level 1
Level 1
In response to Jason Gervia

‎07-13-2010 07:39 AM

Yep...works now...just changed the auth method for DefaultWEBVPNGroupto the auth group I created and ....sweeet works!

Thanx

0 Helpful
Customers Also Viewed These Support Documents