Tuesday, June 7, 2011

How To Configure A Cisco ASA To Authenticate Remote-Access Users With Microsoft LDAP/Active Directory

Today I had the opportunity to configure an ASA to be integrated with
Active Directory. My customer only wanted (at this point) to have vpn
remote-access users authenticate through AD. So, being a little "not"
well versed in AD stuff, I had to employ the help of my customer. I
showed him an example of what I needed (shown below in #1) and he filled
in the blanks (#2).
#1, from a document I found:
ciscoasa#configure terminal
!−−− Configure the AAA Server group.
ciscoasa(config)#aaa−server LDAP_SRV_GRP protocol ldap
!−−− Configure the AAA Server.
ciscoasa(config−aaa−server−group)#aaa−server LDAP_SRV_GRP (inside) host
ciscoasa(config−aaa−server−host)#ldap−base−dn dc=ftwsecurity, dc=cisco,
ciscoasa(config−aaa−server−host)#ldap−login−dn cn=admin, cn=users,
dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config−aaa−server−host)#ldap−login−password **********
ciscoasa(config−aaa−server−host)#ldap−naming−attribute sAMAccountName
ciscoasa(config−aaa−server−host)#ldap−scope subtree
ciscoasa(config−aaa−server−host)#server−type microsoft

#2, Here below is what I got from the Microsoft guy at my customer (a
little changed to protect the company):
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host
ldap-base-dn dc=ad, dc=company, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password testpassword
ldap-login-dn cn=SVC_LDAPQUERY, ou=ServiceAccounts,
ou=SpecialPurposeUsers, ou=AdministrativeSpecial-GroupsAndUsers, dc=ad,
dc=company, dc=com
server-type microsoft
I then applied this for my remote-access users so that they would use AD
to authenticate with:
tunnel-group testtunnelgroup general-attributes
authentication-server-group LDAP_SRV_GRP
By the way, one note that I noticed that is different than using RADIUS.
On the user properties, I did NOT have to select "allow" on the dial-in
tab. A big time saver if you have a lot of users. NOR did I have to
create a group, like I normally would with RADIUS. However, if I wanted
to allow certain users and deny others, that might be research into
another posting. Hmmm.
Anyway, to test from the ASA to see if authentication is working, I used
the following command:
ASA# test aaa-server authentication LDAP_SRV_GRP host
username testuser password pass*
INFO: Attempting Authentication test to IP address <>
(timeout: 12 seconds)
INFO: Authentication Successful
Really, its a lot less work than setting up RADIUS. However, again,
there may be situations that you may prefer RADIUS over LDAP for AD