Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Cisco ASA and auth

Hi All,

How does authentication of vpn users work on the asa? I know it can have a local database, but what about external databases? I guess I am wondering if I can have my asa communicate with my windows AD environment for username and passwords. is this possible?

TIA,

R

9 REPLIES

Re: Cisco ASA and auth

when you are using the local database for authentication then router will search its database...but when ever you are haivng externeal server then you have to configure the router to forward the new connection or incomming connection requrest to the external host or server who is having authentication AAA database...so here you need to configure the router to forward the request to that server and server will prompt for the username and passwords

hope this will help you

rate this post if it helps

regards

Devang

Gold

Re: Cisco ASA and auth

I do not have a lot of experence with the ASA but if its like most other cisco products they do not support windows AD directly.

You can use a radius or tacacs server which can then use the AD server. You should be able to run the radius or tacacs server function on your AD server if you like since there are many avaiable for windows.

New Member

Re: Cisco ASA and auth

hmm...when i go to add a server group under the AAA portion, NT domain is an option for authentication, but not for authorization. whats the difference?

Gold

Re: Cisco ASA and auth

Looks like I need to go study the aaa in the ASA boxes if they now take NT domain as a option.

The authorization is normally what commands a user may issue after he has logon the router. It is allows more contolled access by user rather than changing the commands themselves into other access levels and using enable levels for control. I do not think this is used in a VPN environment but they may have changed that also since the ASA boxes came out.

Re: Cisco ASA and auth

it means its provide the authentication to users...

normally in security we are assigning some specific task or application to the perticular user with the help of the authentication and authorisation...

authentication will tell the user is reliable and authorisation will tell the user have XYZ privillages to access...means here there is a entry with user name, password as well as the privillages level...so this is what the difference between both.

hope this will help you

rate this post if it helps

regards

Devang

New Member

Re: Cisco ASA and auth

so let me get this straight.

i could assign my ad environment to authenticate the user just for username and password, but then use either local host or a raduis, ldap server to do the assigning of priveleges? how do you most people do this?

Re: Cisco ASA and auth

here RADIUS LDAP OR TACACS will also provide you the all authentication, authoirsation and accounting ...

here are the few links which will help you...

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

RADIUS: http://www.cisco.com/en/US/tech/tk583/tk547/tsd_technology_support_sub-protocol_home.html

TACACS:http://www.cisco.com/en/US/tech/tk583/tk642/tsd_technology_support_sub-protocol_home.html

ASA:http://www.cisco.com/en/US/products/sw/secursw/ps2086/tsd_products_support_series_home.html

here you have to do some reading work but it will be help full to you

hope this will help you

rate this post if it helps

regards

Devang

New Member

Re: Cisco ASA and auth

On any windows server 2003 at least, you can install IAS or Internet Authentication Service under the add/remove windows components of the networking services section. It's a microsoft radius server.

then on your asa put it's IP as the aaa server. Its actually really easy

Re: Cisco ASA and auth

yes it is...you can find radius on window 2003 server by

start- administrative tool-routing and remote access then right click on property ...then select security tab and then select RADIUS authentication...

and you can have RADIUS for Linux also on i think www.freeradius.org...

its very easy to configure...

rate this post if it helps

regards

Devang

109
Views
22
Helpful
9
Replies
CreatePlease to create content