implementing VPN for remote users

Unanswered Question
Apr 26th, 2012

I am looking for some advice.  I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc.  We currently use Microsoft VPN to authenticate those users.  It works, but I am not a fan on Microsoft VPN.

I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN.  I want to configure my ASA so my remote users can continue to VPN into my network securely, but also want them to authenticate from their Active Directory credentials.  Is this possible?

If authenticating to AD from Cisco is not traditional, and problematic, then I am open to suggestions.  I do not have web licenses, only the Anyconnent.    

Thanks. 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Marcin Latosiewicz Thu, 04/26/2012 - 10:22

ASA can talk to AD over LDAP. Not a problem there.

Regarding the whole idea - you can, but you don't have to move away from MS VPN client - one of the modes - L2tp over IPsec is supported on ASA.

If that's not enough for some reason you have SSL VPN or IPsec VPN - in both cases I suggest looking at Anyconnect client. Old Cisco VPN client will be soon out of support - but is still working for the most part.

cmi_marketing Fri, 04/27/2012 - 07:39

Marcin -

Thanks for the reply.   I do have the Anyconnect client.  How do I configure Anyconnect to LDAP?  Not sure if I should use the GUI or command line.  GUI seems more intuitive since I'm a step above a VPN novice.  When I setup my SITE to SITE VPN between my building and another building, it really junked up my config.

Thanks in advance.

ROBERTO TACCON Thu, 04/26/2012 - 10:32

Hello,

check for the Anyconnect essential license.

AnyConnect Essentials

1. Client based model. Client gets installed on Remote computers to connect into the Remote network via SSL or IPsec IKEv2.

2. Single license per active device (YOU NEED TO BUY 2 LICENSES IF A CLUSTER OF 2 UNITS IS DEPLOYED).

3. Full tunneling access to Enterprise applications.

4. LDAP users integration with NO additional cost.

5. IPv6 fully compliant (in the next release of ASA in July 2012 IPv6 to IPV6 tunnel)

For example product:

Anyconnect Essentials VPN License ASA 5520 750 Users

(750 users simultaneous connected for single ASA!)

product code: L-ASA-AC-E-5520=

TOTAL price: $144

http://www.provantage.com/cisco-systems-l-asa-ac-e-5520~7CSCI0E3.htm

cmi_marketing Fri, 04/27/2012 - 07:34

Roberto -

Thanks for the info. I purchased a bunch of licenses.  One of which was the Anyconnect Essentials, so not sure why it is showing 'disabled'.  Here is what it looks like when I do a show ver.

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

Licensed features for this platform:

Maximum Physical Interfaces   : Unlimited

Maximum VLANs                 : 150

Inside Hosts                  : Unlimited

Failover                       : Active/Active

VPN-DES                       : Enabled

VPN-3DES-AES                   : Enabled

Security Contexts             : 2

GTP/GPRS                       : Disabled

SSL VPN Peers                 : 2

Total VPN Peers               : 750

Shared License                 : Disabled

AnyConnect for Mobile         : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials         : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions       : 2

Total UC Proxy Sessions       : 2

Botnet Traffic Filter         : Disabled

This platform has an ASA 5520 VPN Plus license.

Any config ideas on how to set the Anyconnect to LDAP?

ROBERTO TACCON Fri, 04/27/2012 - 07:51

Have you reloaded the ASA after the install of the license key ?

About the LDAP configuration please check the

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

NOTE:

You can create an ACL on the ASA and use the ldap attribute map to map the attribute with the IETF-Radius-Filter-ID attribute.

In order to check the creation of the LDAP attribute map,  you can go to http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Instead of the “IETF-Radius-Class” you would need to use “IETF-Radius-Filter-Id”.

Multiple attribute mapping is NOT supported by LDAP attribute map, it works on the first match !!!

I.e if the user is part of both the groups, the matching would be done based on the first match it would not check the next line. So if the user is part of both the groups it would be mapped only with the first ldap map configuration.

ROBERTO TACCON Fri, 04/27/2012 - 10:31

Briefly as indicated by CISCO Herbert Baerten CCIE #20060 (Security)

https://supportforums.cisco.com/thread/2120492

When the ASA performs an LDAP authentication request, the AD server will (if the authentication is successful) send back a number of attributes, one of which is the "memberOf" attribute which tells the ASA what AD group(s) the user is in.

The attributes are taken from (in this order):

- the DAP policy

- user attributes pushed by the AAA server

- group-policy pushed by the AAA server

- group-policy defined in the tunnel-group

- DfltGrpPolicy

The the "memberOf" attribute can be used in 2 ways:

1)

Method 1: using DAP (Dynamic Access Policies)

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Using ASDM, create a DAP rule that matches on AAA attribute "ldap.memberOf" and the action set to "continue".

Then in the default rule, set the action to "terminate".

This way only users that are part of the group matched in the first rule will be granted access, all others will be denied.

2)

Method 2

("simple/better and WORKING method for my customers"): using an LDAP attribute map

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

Start by creating 2 group-policies, as described in the document:

https://supportforums.cisco.com/docs/DOC-13713

group-policy AllowVPN internal

group-policy AllowVPN attributes

 

group-policy NoVPN internal

group-policy NoVPN attributes

  vpn-simultaneous-logins 0

Then set the NoVPN policy as the default one in your tunnel-group:

tunnel-group myTG type remote-access

tunnel-group myTG general-attributes

authentication-server-group myLDAP

vpn-simultaneous-logins 1

default-group-policy NoVPN

So by default, all users connecting to this tunnel-group will be denied access (because group-policy NoVPN is applied which allows 0 simultaneous connections).

Next, create an LDAP attribute map that maps the desired group to the AllowVPN policy:

ldap attribute-map VPN-LDAP-MAP

  map-name  memberOf IETF-Radius-Class

  map-value memberOf "CN=VPNUSERS,OU=Users,DC=CISCOTEST,DC=COM" AllowVPN

What this does is create a mapping between the LDAP "memberOf" attribute and the ASA "IETF-Radius-Class" attribute (which indicates the group-policy to use). In the most recent ASA software versions, "IETF-Radius-Class" has been replaced with "Group-policy".

It also defines that the LDAP group "CN=VPNUSERS,OU=Users,DC=CISCOTEST,DC=COM" should be mapped to the group-policy "AllowVPN"

Finally, apply the attribute map to the the LDAP server(s):

aaa-server myLDAP protocol ldap

aaa-server myLDAP (inside) host 10.0.0.1

...

ldap-attribute-map VPN-LDAP-MAP

cmi_marketing Mon, 04/30/2012 - 08:55

Roberto

Thanks for info.  I'll start digging in, and let you know how it works. 

I checked the liceneses and applied them.  I rebooted the ASA and strangly still doesnt enable the Anyconnect Essentials. ...see below:   I will not read into it..I'll move forward with the rest of the instructions that you posted. 

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 150      

Inside Hosts                   : Unlimited

Failover                       : Active/Active

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

Security Contexts              : 2        

GTP/GPRS                       : Disabled 

SSL VPN Peers                  : 2        

Total VPN Peers                : 750      

Shared License                 : Disabled

AnyConnect for Mobile          : Enabled  

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled 

This platform has an ASA 5520 VPN Plus license.

Actions

Login or Register to take actions

This Discussion

Posted April 26, 2012 at 8:31 AM
Stats:
Replies:8 Avg. Rating:5
Views:1140 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard