04-26-2012 08:31 AM
I am looking for some advice. I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.
I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely, but also want them to authenticate from their Active Directory credentials. Is this possible?
If authenticating to AD from Cisco is not traditional, and problematic, then I am open to suggestions. I do not have web licenses, only the Anyconnent.
Thanks.
04-26-2012 10:22 AM
ASA can talk to AD over LDAP. Not a problem there.
Regarding the whole idea - you can, but you don't have to move away from MS VPN client - one of the modes - L2tp over IPsec is supported on ASA.
If that's not enough for some reason you have SSL VPN or IPsec VPN - in both cases I suggest looking at Anyconnect client. Old Cisco VPN client will be soon out of support - but is still working for the most part.
04-27-2012 07:39 AM
Marcin -
Thanks for the reply. I do have the Anyconnect client. How do I configure Anyconnect to LDAP? Not sure if I should use the GUI or command line. GUI seems more intuitive since I'm a step above a VPN novice. When I setup my SITE to SITE VPN between my building and another building, it really junked up my config.
Thanks in advance.
04-26-2012 10:32 AM
Hello,
check for the Anyconnect essential license.
AnyConnect Essentials
1. Client based model. Client gets installed on Remote computers to connect into the Remote network via SSL or IPsec IKEv2.
2. Single license per active device (YOU NEED TO BUY 2 LICENSES IF A CLUSTER OF 2 UNITS IS DEPLOYED).
3. Full tunneling access to Enterprise applications.
4. LDAP users integration with NO additional cost.
5. IPv6 fully compliant (in the next release of ASA in July 2012 IPv6 to IPV6 tunnel)
For example product:
Anyconnect Essentials VPN License ASA 5520 750 Users
(750 users simultaneous connected for single ASA!)
product code: L-ASA-AC-E-5520=
TOTAL price: $144
http://www.provantage.com/cisco-systems-l-asa-ac-e-5520~7CSCI0E3.htm
04-27-2012 07:34 AM
Roberto -
Thanks for the info. I purchased a bunch of licenses. One of which was the Anyconnect Essentials, so not sure why it is showing 'disabled'. Here is what it looks like when I do a show ver.
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Any config ideas on how to set the Anyconnect to LDAP?
04-27-2012 07:51 AM
Have you reloaded the ASA after the install of the license key ?
About the LDAP configuration please check the
NOTE:
You can create an ACL on the ASA and use the ldap attribute map to map the attribute with the IETF-Radius-Filter-ID attribute.
In order to check the creation of the LDAP attribute map, you can go to http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Instead of the “IETF-Radius-Class” you would need to use “IETF-Radius-Filter-Id”.
Multiple attribute mapping is NOT supported by LDAP attribute map, it works on the first match !!!
I.e if the user is part of both the groups, the matching would be done based on the first match it would not check the next line. So if the user is part of both the groups it would be mapped only with the first ldap map configuration.
04-27-2012 10:31 AM
Briefly as indicated by CISCO Herbert Baerten CCIE #20060 (Security)
https://supportforums.cisco.com/thread/2120492
When the ASA performs an LDAP authentication request, the AD server will (if the authentication is successful) send back a number of attributes, one of which is the "memberOf" attribute which tells the ASA what AD group(s) the user is in.
The attributes are taken from (in this order):
- the DAP policy
- user attributes pushed by the AAA server
- group-policy pushed by the AAA server
- group-policy defined in the tunnel-group
- DfltGrpPolicy
The the "memberOf" attribute can be used in 2 ways:
1)
Method 1: using DAP (Dynamic Access Policies)
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
Using ASDM, create a DAP rule that matches on AAA attribute "ldap.memberOf" and the action set to "continue".
Then in the default rule, set the action to "terminate".
This way only users that are part of the group matched in the first rule will be granted access, all others will be denied.
2)
Method 2
("simple/better and WORKING method for my customers"): using an LDAP attribute map
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
Start by creating 2 group-policies, as described in the document:
https://supportforums.cisco.com/docs/DOC-13713
group-policy AllowVPN internal
group-policy AllowVPN attributes
group-policy NoVPN internal
group-policy NoVPN attributes
vpn-simultaneous-logins 0
Then set the NoVPN policy as the default one in your tunnel-group:
tunnel-group myTG type remote-access
tunnel-group myTG general-attributes
authentication-server-group myLDAP
vpn-simultaneous-logins 1
default-group-policy NoVPN
So by default, all users connecting to this tunnel-group will be denied access (because group-policy NoVPN is applied which allows 0 simultaneous connections).
Next, create an LDAP attribute map that maps the desired group to the AllowVPN policy:
ldap attribute-map VPN-LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPNUSERS,OU=Users,DC=CISCOTEST,DC=COM" AllowVPN
What this does is create a mapping between the LDAP "memberOf" attribute and the ASA "IETF-Radius-Class" attribute (which indicates the group-policy to use). In the most recent ASA software versions, "IETF-Radius-Class" has been replaced with "Group-policy".
It also defines that the LDAP group "CN=VPNUSERS,OU=Users,DC=CISCOTEST,DC=COM" should be mapped to the group-policy "AllowVPN"
Finally, apply the attribute map to the the LDAP server(s):
aaa-server myLDAP protocol ldap
aaa-server myLDAP (inside) host 10.0.0.1
...
ldap-attribute-map VPN-LDAP-MAP
04-30-2012 08:55 AM
Roberto
Thanks for info. I'll start digging in, and let you know how it works.
I checked the liceneses and applied them. I rebooted the ASA and strangly still doesnt enable the Anyconnect Essentials. ...see below: I will not read into it..I'll move forward with the rest of the instructions that you posted.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
04-30-2012 03:30 PM
If you have any problem with the license of anyconnect essential please send an email to:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide