Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ldap authentication

Hello All,

I'm using cisco asa 5512-x asdm

asa version 9.1(2)

asdm version 7.2(1)

I configured my ldap server and tested it, connection is ok.

but I'm not sure how to configure my ipsec remote vpn, to authenticate users who belong to active directory "VPN" group only, and deny all else.

 

I created a dynamic access group on asdm, is that enough?

please try to explain it to me simply since I'm not all of that good with cisco cli, if it's possible to explain in asdm way, that would be preferred.

 

 

Thank you very much.

5 REPLIES
Silver

Hi Henry GreenIf you already

Hi Henry Green

If you already have working your LDAP and the REMOTE VPN  the next step is to use the LDAP to authenticate the VPN remote users.

 

You need to add the next config to your tunnel group: 

ciscoasa(config)#tunnel-group testgroup general-attributes
ciscoasa(config-tunnel-general)#authentication-server-group LDAP

 

Also check this useful link: 

https://supportforums.cisco.com/document/139241/remote-access-vpn-asa-authentication-using-ldap-server

 

-Hope this helps - 

 

New Member

Hi Rvarelac, Thank you for

Hi Rvarelac,

 

Thank you for the reply,

but my question is, how do I narrow the LDAP scope just to a specific ldap group?

I have an ldap group called "VPN", I want them and them alone to be able to authenticate via remote VPN

 

any advices?

Cisco Employee

the ASA checks with an LDAP

the ASA checks with an LDAP server in order to verify the identity of users that it authenticates. This process does not work like a traditional Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) exhange. These steps explain, at a high level, how the ASA uses an LDAP server in order to check user credentials.

 

Verify the links for configuration:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

  1. The user initiates a connection to the ASA.

  2. The ASA is configured to authenticate that user with the Microsoft Active Directory (AD)/LDAP server.

  3. The ASA binds to the LDAP server with the credentials configured on the ASA (admin in this case), and looks up the provided username. The admin user also obtains the appropriate credentials to list contents within Active Directory. Refer to http://support.microsoft.com/?id=320528 leavingcisco.com for more information about how to grant LDAP query privileges.

    Note: The Microsoft website at http://support.microsoft.com/?id=320528 leavingcisco.com is managed by a third party provider. Cisco is not responsible for its content.

  4. If the username is found, the ASA attempts to bind to the LDAP server with the credentials that the user provided at login.

  5. If the second bind is successful, authentication succeeds and the the ASA processes the attributes of the user.

    Note: In this example the attributes are not used for anything. Refer to ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example in order to see an example of how the ASA can process LDAP attributes.

  6.  
New Member

The LDAP connection and

The LDAP connection and binding is working well,

but the issue is, that right now any LDAP user is allowed to authenticate via VPN (ipsec remote vpn using cisco vpn client)

which is a problem for me, so how do I permit only a specific LDAP group members to authenticate?

 

(If the answer was already provided in your post and I didn't get it, I apologize, please break it down simply for me to understand if possible)

 

Thank you very much.

New Member

Hi  Please check the

Hi 

 

Please check the following link that has an example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

 

Cheers!!

Minakshi(Do rate the helpful posts)

97
Views
0
Helpful
5
Replies
CreatePlease login to create content