Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4946
Views
1
Helpful
13
Replies

Anyconnect AD Authentication

Go to solution
NETAD
Level 4
Level 4

‎02-13-2018 03:56 PM - edited ‎03-12-2019 05:01 AM

Hello, can you assist in getting this working? Attached is my config. I don't know what else I could be missing.

 

Thanks

Labels:
Preview file
4 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-13-2018 06:08 PM

Hi

 

Is this an AD server?

Normally the admin user is in the users OU.

If so the config should be:

ldap-login-dn cn=Administrator, cn=Users, dc=vlab,dc=com

 

If the admin account is in another ou adapt the config.

 

Not mandatory but you can add under your ldap config the following statement:

server-type microsoft

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to NETAD

‎02-14-2018 08:59 PM

Yes you'll need to use attribute map for that.

 

For your reference a Cisco doc showing how to do that:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-13-2018 06:08 PM

Hi

 

Is this an AD server?

Normally the admin user is in the users OU.

If so the config should be:

ldap-login-dn cn=Administrator, cn=Users, dc=vlab,dc=com

 

If the admin account is in another ou adapt the config.

 

Not mandatory but you can add under your ldap config the following statement:

server-type microsoft

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
NETAD
Level 4
Level 4
In response to Francesco Molino

‎02-14-2018 05:42 PM

Thanks Francesco, it was a typo on my end. I used sAMAaccount instead of sAMAccount and plus I changed the ldap-login-dn to cn=Users,cn=administrator... and it worked like a charm. If I need to authenticated certain users based on their connection profile and their group membership in AD I'll have to use an attribute map correct?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to NETAD

‎02-14-2018 08:59 PM

Yes you'll need to use attribute map for that.

 

For your reference a Cisco doc showing how to do that:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Francesco Molino

‎02-15-2018 01:29 PM

Hi Francesco, I added the ldap attribute-map configuration. In the debug it shows that authentication is successful but it seems like the attribute-map is not triggered for some reason. I attached the config I have so far. Please review it and advise. Thank you. 

Preview file
6 KB
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to NETAD

‎02-15-2018 02:32 PM

What version of ASA are you running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Francesco Molino

‎02-15-2018 02:39 PM

9.8 on a 5506
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to NETAD

‎02-15-2018 04:12 PM

It's been a while i didn't used ldap to authenticate users. I prefer using radius, less headache.

 

Can you try replacing your actual map-name with:

map-name memberOf IETF-Radius-Class


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Francesco Molino

‎02-15-2018 04:28 PM

I agree with you. That didn't work. What's weird is that the debug shows successful but the login fails on anyconnect.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to NETAD

‎02-15-2018 05:10 PM

Can you run a debug crypto when trying to connect to see what's going on?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Francesco Molino

‎02-15-2018 06:05 PM

it's using the group-policy NOACCESS which allows 0 simultaneous logins but that should force it to use the attribute map but it's not.

Preview file
6 KB
0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Francesco Molino

‎02-15-2018 07:54 PM

I just saw that you asked for debug crypto but I'm doing this with ssl. I tried debug webvpn but no output comes up when connecting.
0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Francesco Molino

‎02-16-2018 10:33 AM

Hi Francesco, I did this today on a customer's firewall using the same config and it worked like a charm. I guess certain things don't execute in a lab like they do in the wild. Thanks for your help anyway.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to NETAD

‎02-16-2018 03:46 PM

Your config was good and you were facing a strange behavior.
But if it works on your customer firewall that's the most important.
You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents