Asa Active Directory Authentication

Cisco ASA – AnyConnect VPN with Active Directory Authentication Complete Setup Guide vektorprime February 18, 2017. This article will discuss setting up Cisco Anyconnect with LDAP/Domain Authentication. I will be showing both the ASDM/GUI and CLI commands. I recommend the GUI method once, then use the CLI once you. Go to Active Directory Users and Computers and create Security group. Open the properties of the newly security group, open the Members tab and add domain users which you want to assign VPN access to. This is all you need to configure on the server side. ASA configuration for LDAP authentication. Let’s move on to ASA configuration part. Single Active Directory site. If you have a single Active Directory site, your environment may resemble the one in the following figure: Based on the FQDNs that are used by the internal Outlook clients in the preceding figure, you need to associate the following SPNs with the ASA credential: http/mail.corp.tailspintoys.com.

Today I am going to explain how to configure ASA for LDAP authentication. This configuration will be useful when you want to enforce your company password policy to VPN users. Basically this configuration will allow VPN users to use corporate directory (usually AD ) username and password for AnyConnect VPN authentication. Upside of this configuration is that you do not need to set up a VPN user account for each user locally and end users will not need to remember multiple username and password for different systems.

Diagram

This is the diagram that I am going to use for this post.

LDAP service account creation

First of all, you will need a service account which will be used by ASA to perform LDAP query to a LDAP server.

Go to Active Directory and create a service account. It only needs to be able to browse the AD, so a simple domain user is fine.

Security group creation for VPN users

This security group is required in order to control which LDAP users will have VPN access. With Cisco ASA, by default, all LDAP users have VPN access and we do not want that happen. this security group will be used as a condition of Dynamic Access Policy later on.

Go to Active Directory Users and Computers and create Security group.

Open the properties of the newly security group, open the Members tab and add domain users which you want to assign VPN access to.

This is all you need to configure on the server side.

ASA configuration for LDAP authentication

Let’s move on to ASA configuration part. Here are the commands required on ASA to be able to LDAP query.

Directory

#Create LDAP server group
aaa-server LDAP-SERVERS protocol ldap
#Specify LDAP server’s IP address. My LDAP server’s IP is 10.30.1.15
(config-aaa-server-group)# aaa-server LDAP-SERVERS (inside) host 10.30.1.15
#Specify base-dn. Base-dn is the point from where a server will search for users.
(config-aaa-server-host)# ldap-base-dn dc=tayam,dc=com
#Specify ldap scope. On which level asa will search users
(config-aaa-server-host)# ldap-scope subtree
#Specify ldap attribute.
(config-aaa-server-host)# ldap-naming-attribute sAMAccountName
#Specify ldap service account’s password
(config-aaa-server-host)# ldap-login-password Panda123
#Specify ldap service accounts directory name in DistinguishedName format
(config-aaa-server-host)# ldap-login-dn cn=ldap user,OU=Service_Accounts,dc=tayam,dc=com
#Specify ldap server type
(config-aaa-server-host)# server-type auto-detect

You can perform ldap connectivity test by issuing the below command.

test aaa-server authentication LDAP-SERVERS host 10.30.1.15 username ldap.user password Panda123

Please note that the username used here is SamAccountName of the ldap service account created in the previous step which is different from the DistinguishedName. You can check what is the DistinguishedName and SamAccountName by the following Powershell command:

Now you need to edit your Connection Profile.

Open ASDM > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles.

In the Basic configuration, change AAA Server Group to the one you created in the previous step. In my case, this will be LDAP-SERVERS.

(OPTIONAL) If you have a certificate on the LDAP server, you can also leverage LDAPS.

ASDM > Remote Access VPN > AAA/Local users > AAA Server Groups and select your server group. Double click existing server and tick Enable LDAP over SSL.

Authentication active directory integrated

(OPTIONAL) Additionally, you can have a secondary ldap server for redundancy.

Go to ASDM > Remote Access VPN > AAA/Local users > AAA Server Groups and Select your server group. Click Add in Server in the Selected Group and add secondary ldap server’s information required.

Click OK and Apply the configuration. At this point any domain users can authenticate via LDAP. In order to restrict VPN authentication to one security group, Dynamic Access Policy configuration will be required.

Dynamic Access Policy Configuration

Asa Active Directory Authentication Guide

Dynamic Access Policy lets you control which group of users can authenticate via LDAP by setting up Access conditions on ASA. It actually can do much more than that but in this post I will use DAP to restrict to perform authentication to the users who are part of the newly created security group in the previous step.

Connect to the ASDM > Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add.

Add an LDAP Condition > IF NOT a member (!=) > Enter domain security group (In my case VPNUSERS). Then set the condition to Terminate.

Cisco Asa Anyconnect Vpn Active Directory Authentication

That’s all required for DAP. At this point if a user who is not part of VPNUSER security group sends authentication request, the user will get Login denied message.

That’s all for this post 🙂 I will write an article for Certificate-based authentication in the next post.

Job Description

  • Responsible for day-to-day administration duties including Windows Active Directory object maintenance, Conducts complex troubleshooting and repair tasks on Active Directory, Windows Server 2008-2019, Domain Controllers, DNS, user authentication and other operational systems as needed.
  • Writes scripts utilizing Directory Services to provide Identity Management and User/Group management tools utilizing Active Directory as the backbone for the Identity Access Management implementation.
  • Provides technical review of existing implementations and administrative practices (account and network administration, GPOs, OUs, DNS, etc.)
  • Administers Users, Group and Computer objects and create Group Policy using Group Policy Management Console.
  • Participates in data cleansing efforts including remediation of duplicate user ID’s, Directory Information Tree (DIT) redesign and modification recommendations, consolidation of Group Policy Objects, and implementation of access restrictions and auditing.
  • Provides basic training and support for design and administrative team members.
  • Experience in windows deployment solutions (SCCM, Ghost, etc).
  • Serves as in-house expert on best practices and efficient solutions supporting the Identity and Access Management (IAM) strategy to ensure proper implementation and leveraging of the Identity Management solutions.
  • Establishes service specifications to other systems including permissions modification, deletion, role definitions, reclassification and other similar access management related functions.
  • Maintains the enterprise identity management infrastructure and performs considerable work in the development and implementation of workflows and data integration/transformations in an identity management system.

Qualifications:

Minimum Requirements

Asa Firepower Active Directory Integration

  • Microsoft Certified Solutions Associate (MCSA)
  • Microsoft Certified Solutions Expert (MCSE)

Preferred:

Asa Active Directory Integration

  • Ability to install, configure and troubleshoot Active Directory and DNS for Active Directory, as well as skills necessary for Group Policy and Active Directory Security solutions.
  • Heavy Active Directory and Directory Services knowledge necessary.
  • Hands-on project experience designing and implementing custom identity workflows, resource provisioning and role based access controls.
  • Working experience of lightweight Directory Access Protocol (LDAP).
  • Working experience of operating-system administration skills of Windows Server 2008-2019.
  • Specific training and certifications is a plus.
  • Power Shell, VB Script, Java Scripting is a plus.