Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SSL VPN client authentication

Currently our ASA is configured to use LDAP for authenticating VPN clients.  I read several manuals that show how to set the ASA up for either LDAP, RADIUS, or LOCAL authentication.  What I'd like to do is use both LDAP and LOCAL authentication.  Such that if a client connects, it would check for local authentication before checking LDAP.  Has anyone had success doing this and could share an example config?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: SSL VPN client authentication

It sounds like double authentication isn't what you are looking for.  Based on the above requirement, you will be better off configuring a separate tunnel group for your restricted users which will use local authentication exclusively.  You can then present the users with a drop down menu on the auth portal where they choose thier desired tunnel group.  Alternatively, you can configure group-urls in order to direct the users to the correct tunnel group.  For example, you could have https://vpn.vpn.com/employee and https://vpn.vpn.com/vendor where the employee TG will use LDAP and the vendor TG will use local auth.

4 REPLIES

Re: SSL VPN client authentication

ASA 8.2 and later has a feature called Double Authentication in which you can require two forms of authentication for Clientless WebVPN and AnyConnect users.  In your case, the local database can be checked first followed by LDAP.  Users will need to successfully authenticate to both in this case.

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1243545

Community Member

Re: SSL VPN client authentication

That would grant access to users who I wish to give access to the network without having to give them a AD account.  But, you're saying I'd also have to put the AD account users ID/Passwords in the ASA for local authentication as well?  Say it ain't so!

Re: SSL VPN client authentication

It sounds like double authentication isn't what you are looking for.  Based on the above requirement, you will be better off configuring a separate tunnel group for your restricted users which will use local authentication exclusively.  You can then present the users with a drop down menu on the auth portal where they choose thier desired tunnel group.  Alternatively, you can configure group-urls in order to direct the users to the correct tunnel group.  For example, you could have https://vpn.vpn.com/employee and https://vpn.vpn.com/vendor where the employee TG will use LDAP and the vendor TG will use local auth.

Community Member

Re: SSL VPN client authentication

I suspected I might have to use separate tunnel groups.  Thanks for your input!

521
Views
0
Helpful
4
Replies
CreatePlease to create content