Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
22
Helpful
9
Replies

Cisco ASA and auth

rhltechie
Level 1
Level 1

‎06-13-2006 06:02 AM - edited ‎03-03-2019 12:59 PM

Hi All,

How does authentication of vpn users work on the asa? I know it can have a local database, but what about external databases? I guess I am wondering if I can have my asa communicate with my windows AD environment for username and passwords. is this possible?

TIA,

R

Labels:
0 Helpful
9 Replies 9

devang_etcom
Level 7
Level 7

‎06-13-2006 06:17 AM

when you are using the local database for authentication then router will search its database...but when ever you are haivng externeal server then you have to configure the router to forward the new connection or incomming connection requrest to the external host or server who is having authentication AAA database...so here you need to configure the router to forward the request to that server and server will prompt for the username and passwords

hope this will help you

rate this post if it helps

regards

Devang

tdrais
Level 7
Level 7

‎06-13-2006 06:51 AM

I do not have a lot of experence with the ASA but if its like most other cisco products they do not support windows AD directly.

You can use a radius or tacacs server which can then use the AD server. You should be able to run the radius or tacacs server function on your AD server if you like since there are many avaiable for windows.

rhltechie
Level 1
Level 1
In response to tdrais

‎06-13-2006 07:18 AM

hmm...when i go to add a server group under the AAA portion, NT domain is an option for authentication, but not for authorization. whats the difference?

0 Helpful

tdrais
Level 7
Level 7
In response to rhltechie

‎06-13-2006 07:48 AM

Looks like I need to go study the aaa in the ASA boxes if they now take NT domain as a option.

The authorization is normally what commands a user may issue after he has logon the router. It is allows more contolled access by user rather than changing the commands themselves into other access levels and using enable levels for control. I do not think this is used in a VPN environment but they may have changed that also since the ASA boxes came out.

devang_etcom
Level 7
Level 7
In response to rhltechie

‎06-13-2006 07:58 AM

it means its provide the authentication to users...

normally in security we are assigning some specific task or application to the perticular user with the help of the authentication and authorisation...

authentication will tell the user is reliable and authorisation will tell the user have XYZ privillages to access...means here there is a entry with user name, password as well as the privillages level...so this is what the difference between both.

hope this will help you

rate this post if it helps

regards

Devang

rhltechie
Level 1
Level 1
In response to devang_etcom

‎06-13-2006 08:43 AM

so let me get this straight.

i could assign my ad environment to authenticate the user just for username and password, but then use either local host or a raduis, ldap server to do the assigning of priveleges? how do you most people do this?

0 Helpful

devang_etcom
Level 7
Level 7
In response to rhltechie

‎06-13-2006 08:54 AM

here RADIUS LDAP OR TACACS will also provide you the all authentication, authoirsation and accounting ...

here are the few links which will help you...

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

RADIUS: http://www.cisco.com/en/US/tech/tk583/tk547/tsd_technology_support_sub-protocol_home.html

TACACS:http://www.cisco.com/en/US/tech/tk583/tk642/tsd_technology_support_sub-protocol_home.html

ASA:http://www.cisco.com/en/US/products/sw/secursw/ps2086/tsd_products_support_series_home.html

here you have to do some reading work but it will be help full to you

hope this will help you

rate this post if it helps

regards

Devang

0 Helpful

dbakula01
Level 1
Level 1

‎06-13-2006 09:07 AM

On any windows server 2003 at least, you can install IAS or Internet Authentication Service under the add/remove windows components of the networking services section. It's a microsoft radius server.

then on your asa put it's IP as the aaa server. Its actually really easy

devang_etcom
Level 7
Level 7
In response to dbakula01

‎06-13-2006 09:15 AM

yes it is...you can find radius on window 2003 server by

start- administrative tool-routing and remote access then right click on property ...then select security tab and then select RADIUS authentication...

and you can have RADIUS for Linux also on i think www.freeradius.org...

its very easy to configure...

rate this post if it helps

regards

Devang

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card