I'm working on a ASA and integrating it into active directory for the first time and am having trouble understanding some of the AAA concepts.
if I set the AAA settings for VPN tunnel access to use LDAP authentication and authorization, I can use a domain account to log in just fine. However if I make a change in the Active Directory to not allow remote access for that account, it still allows access...
if I set the AAA settings for VPN tunnel access to use RADIUS authentication and authorization (the RADIUS is integrated into AD already), I can log in just fine and I can then allow/deny VPN access using Active Directory account's remote access properties.
I'm confused, isn't "authorization" the part that should look into the active directory for settings? and isn't "authentication" just the process of looking up the username/password? if this is correct, based on the documentation that LDAP supports authorization, but not authentication, it should be picking up these settings, but doesn't.
my second misunderstanding is if I have to resort to a RADIUS server for active directory integration, why would anyone bother to setup LDAP directly to the AD, when all it seems to do is a username/password check?
You're sort of correct... in theory LDAP could be used to authorise for AAA - but to my knowledge no AAA server yet supports this.
ACS almost does, in as much as it can map from the users LDAP group membership to an ACS group. But this is far from actually retrieving the data from LDAP itself.
Remember also, that LDAP only offers quite simple authentication protocols... basically PAP. We tried long and hard to get LDAP vendors to support MSCHAP. The reason being that there were 1000s of customers wanting LEAP wireless against their LDAP database.
So the AAA server is still a required component in order to map between the AAA world of protocols and packets and the LDAP world of users and groups.
but if the only thing LDAP will really accomplish is mapping users to groups, isn't that an authentication function (which is supposedly not supported).
I almost suspect that the ASA documentation is backward. where they say authorization is supported and authentication isn't, it should be the other way around. since as you say, it'll map users to groups, but no real data comes out of active directory, it seems this fits into the definition of authentication.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :