KB ID 0001152 Dtd 03/02/16
When I first started doing Cisco remote VPNs, we had Server 2000/2003 and I used to use RADIUS with IAS. Then Microsoft brought out 2008/2012 and RADIUS via NAP. Because I fear and loath change I swapped to using Kerberos VPN Authentication for a while. I had to put in an ASA5512-X this weekend and the client wanted to allow AnyConnect to a particular Domain Security Group “VPN-Users”, so I thought I would use LDAP for a change.
The process is to setup AAA for LDAP, then create an ‘Attribute map’ for the domain group, and then map that group to a particular ASA Tunnel Group/ASA Group Policy. Well guess what – It didn’t work! S0 I ended up using a blend of LDAP and Cisco Dynamic Access Policy (DAP) to do the same, (don’t panic, it’ s actually easier than writing an LDAP attribute map).
Firstly you need to create a ‘service account’ in Active Directory that the ASA will use, it only need to be able to browse the AD, so a simple Domain User is fine.
Then create a user group that you want to grant AnyConnect Access to;
And, then create a test user and put that user in your domain group.
Configure the ASA for LDAP
Create an AAA LDAP Server Group > Add a Server > Put in the Config for that server like so;
CHANGE THE ENTRIES IN BOLD BELOW TO MATCH YOUR REQUIREMENTS Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# configure terminal Petes-ASA(config)# aaa-server PNL-LDAP-SERVER protocol ldap Petes-ASA(config-aaa-server-group)# aaa-server PNL-LDAP-SERVER (inside) host 192.168.100.10 Petes-ASA(config-aaa-server-host)# ldap-base-dn dc=pnl,dc=com Petes-ASA(config-aaa-server-host)# ldap-scope subtree Petes-ASA(config-aaa-server-host)# ldap-naming-attribute sAMAccountName Petes-ASA(config-aaa-server-host)# ldap-login-password P@assword123 Petes-ASA(config-aaa-server-host)# ldap-login-dn cn=asa,OU=ServiceAccounts,OU=PNL,dc=pnl,dc=com Petes-ASA(config-aaa-server-host)# server-type auto-detect Petes-ASA(config-aaa-server-host)# exit Petes-ASA(config)# exit Petes-ASA#
Now perform a test, and make sure it says “successful’
NOTE: HERE I'VE SET IT TO FALL BACK TO LOCAL AUTH IF THE LDAP SERVER IS DOWN! Petes-ASA# test aaa-server authentication PNL-LDAP-SERVER host 192.168.100.10 username administrator password P@ssword123 INFO: Attempting Authentication test to IP address (timeout: 12 seconds) INFO: Authentication Successful
Add LDAP Authentication For AnyConnect
I’m assuming you already have AnyConnect Setup? If not that’s fine simply follow the article below, which will set it up for LOCAL authentication, set it up and get it working then come back here.
To change authentication from LOCAL you make a change in the Tunnel-Group for you remote VPN connection, if you don’t know what the name of your tunnel group is ‘show run tun’ will list them. You add the authentication-server-group to the general-attributes section of the config, like so;
NOTE: HERE IT WILL FAIL BACK TO 'LOCAL' AUTH IF LDAP GOES DOWN (THIS IS GOOD!) Petes-ASA(config)# tunnel-group PNL-TG-ANYCONNECT-ACCESS general-attributes Petes-ASA(config-tunnel-general)# authentication-server-group PNL-LDAP-SERVER LOCAL Petes-ASA(config-tunnel-general)# exit Petes-ASA(config)# write mem Building configuration... Cryptochecksum: 30899474 8c9cd7c6 495be299 fd911bca 19681 bytes copied in 3.340 secs (6560 bytes/sec) [OK] Petes-ASA(config)#
Note: At this point ALL DOMAIN USERS can successfully authenticate, to lock it down to one domain security group, apply a Dynamic Access Policy (these can only be done in the ASDM).
Cisco ASDM Configure Dynamic Access Policies
Connect to the ASDM > Configuration > Remote Access VPN > Dynamic Access Policies > Add.
Add an LDAP Condition > IF NOT a member (or not equal to member) > Insert domain security group. Then set the condition to ‘Terminate’.