cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
893
Views
0
Helpful
4
Replies

SSL VPN client authentication

fdouble08
Level 1
Level 1

Currently our ASA is configured to use LDAP for authenticating VPN clients.  I read several manuals that show how to set the ASA up for either LDAP, RADIUS, or LOCAL authentication.  What I'd like to do is use both LDAP and LOCAL authentication.  Such that if a client connects, it would check for local authentication before checking LDAP.  Has anyone had success doing this and could share an example config?

Thanks!

1 Accepted Solution

Accepted Solutions

It sounds like double authentication isn't what you are looking for.  Based on the above requirement, you will be better off configuring a separate tunnel group for your restricted users which will use local authentication exclusively.  You can then present the users with a drop down menu on the auth portal where they choose thier desired tunnel group.  Alternatively, you can configure group-urls in order to direct the users to the correct tunnel group.  For example, you could have https://vpn.vpn.com/employee and https://vpn.vpn.com/vendor where the employee TG will use LDAP and the vendor TG will use local auth.

View solution in original post

4 Replies 4

Todd Pula
Level 7
Level 7

ASA 8.2 and later has a feature called Double Authentication in which you can require two forms of authentication for Clientless WebVPN and AnyConnect users.  In your case, the local database can be checked first followed by LDAP.  Users will need to successfully authenticate to both in this case.

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1243545

That would grant access to users who I wish to give access to the network without having to give them a AD account.  But, you're saying I'd also have to put the AD account users ID/Passwords in the ASA for local authentication as well?  Say it ain't so!

It sounds like double authentication isn't what you are looking for.  Based on the above requirement, you will be better off configuring a separate tunnel group for your restricted users which will use local authentication exclusively.  You can then present the users with a drop down menu on the auth portal where they choose thier desired tunnel group.  Alternatively, you can configure group-urls in order to direct the users to the correct tunnel group.  For example, you could have https://vpn.vpn.com/employee and https://vpn.vpn.com/vendor where the employee TG will use LDAP and the vendor TG will use local auth.

I suspected I might have to use separate tunnel groups.  Thanks for your input!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: