Hi,

Thanks for the answers. I will try the NT auth with

Active Directory.

My understanding was that the NT Domain authentication option was not compatible with Active Directory. I thought we could use the NT auth only with the old NT domain database.

thanks

thanks

If you are using the local authentication on the ASA, is it possible to VPN if there is no username specified? I am trying to VPN into a customer's ASA and have everyting configured except for the username command. I think I'm stuck until I go back out and configure a user on the ASA.

When I try connecting using the VPN client, I get the username and password prompt, but have no user configured. Previously, they had a PIX501 and it connected with the group info and password. Now, its prompting for the username and password which aren't there.

Any suggestions in the meantime?

Thanks,

Kevin

I guess if u r not using RADIUS or TACACS+ u have 2 use d local database 4 authentication. For local authentication 2 happen u have 2 have a minimum of 1 username statement.

I called the customer and had him add the username command in the config.

Then, I could enter that username and password in the VPN client prompt which let me in.

On a side note, they previously had a PIX 501 with 6.x code. Now, they have a new ASA 5510. When I copy/pasted some of the commands, such as the fixup protocol and VPN group commands, its pretty neat when it converts the commands to the new 7.x commands.

Kevin

this was nice, i tried and it worked. Now is there any way , we can log which user has authenticated successfully and at what time.

thanks,

Shakeel

If u r using a Linux server setup then u can use d default SYSLOG server tht cums with Linux. If u r using a Windows server setup then u can install any of d free syslog Server's available on d net (www.kiwisyslog.com). U wud then have 2 configure ur firewall 2 send syslog msgs 2 ur server. Following is d syslog setup 4 my firewall. I have suppressed sum msgs. U can configure according 2 ur needs:-

logging on

logging monitor informational

logging trap errors

logging host inside

no logging message 106023

no logging message 305005

no logging message 305012

no logging message 302010

no logging message 302014

no logging message 304001

no logging message 302016

For VPN authentication u will get following logs:-

2006-01-06 08:00:48 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10308', sid 2603

2006-01-06 09:46:59 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10164', sid 2605

Also keep d time synchronised between ur firewall & syslog server if u r not sending timestamp 4 ur syslog msgs 2 ur syslog server. For time synchronisation u can use a trused NTP server like 192.43.244.18. If u r really getting gud results from my suggestions rating them will b nice of u.

If u r using a Linux server setup then u can use d default SYSLOG server tht cums with Linux. If u r using a Windows server setup then u can install any of d free syslog Server's available on d net (www.kiwisyslog.com). U wud then have 2 configure ur firewall 2 send syslog msgs 2 ur server. Following is d syslog setup 4 my firewall. I have suppressed sum msgs. U can configure according 2 ur needs:-

logging on

logging monitor informational

logging trap errors

logging host inside

no logging message 106023

no logging message 305005

no logging message 305012

no logging message 302010

no logging message 302014

no logging message 304001

no logging message 302016

For VPN authentication u will get following logs:-

2006-01-06 08:00:48 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10308', sid 2603

2006-01-06 09:46:59 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10164', sid 2605

Also keep d time synchronised between ur firewall & syslog server if u r not sending timestamp 4 ur syslog msgs 2 ur syslog server. For time synchronisation u can use a trused NTP server like 192.43.244.18. If u r really getting gud results from my suggestions rating them will b nice of u.

I am sorry. Since this site is running vvvvv slow my post got appended twice. Mr.Administrator this site is gr8 but believe me its damn slow.

This is an excellent answer.

AD is an LDAP, KERBEROS directory too

For AD authentication with Cisco VPN Client, can I use LDAP or Kerberos?

Do I lose some feature by using the NT auth.?

I thought the same thing, that NT auth. was for NT4 PDC/BDC

Thank you

The concept of IAS (RADIUS server of Windows) works on LDAP. Anyways I have found tht with the new PIX OS i,e, v7.0, there is an option to directly authenticate agaianst AD, which I gues works on LDAP again. I just got 2 work on d new OS 4 few days, but unfirtunately cud not test this feature.

Hi the version 7.0 admin guide states that LDAP server feature only supports authorization and not authentication .. in which case the user needs to be authenticated in some other method i.e Radius first.

I have gotten the authentication against the AD server to work with a ASA 5520 7.1 (1) and fully patched Windows 2003 AD Server. However, it allows anyone with a AD Account to login to the VPN. In the AD, under a user preference you have a Dial In Tab that grants you authorization to use VPN. Can I use this to control which AD accounts can access VPN through the ASA?

See Case SR 603607315 for more info.

I have looked at the following document however the ASDM Client I have is newer and different from the one in this doc. Last, It does not specify what you can and can not leverage from the AD tree.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml#steps

John

John, did you ever get this working, i have noticed also that whether i deny permission for the AD account it still lets them authenticate