07-28-2010 05:29 AM
Currently our ASA is configured to use LDAP for authenticating VPN clients. I read several manuals that show how to set the ASA up for either LDAP, RADIUS, or LOCAL authentication. What I'd like to do is use both LDAP and LOCAL authentication. Such that if a client connects, it would check for local authentication before checking LDAP. Has anyone had success doing this and could share an example config?
Thanks!
Solved! Go to Solution.
07-28-2010 10:36 AM
It sounds like double authentication isn't what you are looking for. Based on the above requirement, you will be better off configuring a separate tunnel group for your restricted users which will use local authentication exclusively. You can then present the users with a drop down menu on the auth portal where they choose thier desired tunnel group. Alternatively, you can configure group-urls in order to direct the users to the correct tunnel group. For example, you could have https://vpn.vpn.com/employee and https://vpn.vpn.com/vendor where the employee TG will use LDAP and the vendor TG will use local auth.
07-28-2010 09:36 AM
ASA 8.2 and later has a feature called Double Authentication in which you can require two forms of authentication for Clientless WebVPN and AnyConnect users. In your case, the local database can be checked first followed by LDAP. Users will need to successfully authenticate to both in this case.
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1243545
07-28-2010 10:30 AM
That would grant access to users who I wish to give access to the network without having to give them a AD account. But, you're saying I'd also have to put the AD account users ID/Passwords in the ASA for local authentication as well? Say it ain't so!
07-28-2010 10:36 AM
It sounds like double authentication isn't what you are looking for. Based on the above requirement, you will be better off configuring a separate tunnel group for your restricted users which will use local authentication exclusively. You can then present the users with a drop down menu on the auth portal where they choose thier desired tunnel group. Alternatively, you can configure group-urls in order to direct the users to the correct tunnel group. For example, you could have https://vpn.vpn.com/employee and https://vpn.vpn.com/vendor where the employee TG will use LDAP and the vendor TG will use local auth.
07-28-2010 10:53 AM
I suspected I might have to use separate tunnel groups. Thanks for your input!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: