Friday, February 1, 2013

Cisco ASA: Radius Authentication Using LDAP For Remote-Access VPN Users

Yesterday I integrated a company's remote-access vpn users from a local database on their Cisco ASA to using radius authentication via LDAP.  I really like this solution for several reasons.  One password for each user instead of two, logging of who logs in and out via VPN, etc.  I used IAS on a Microsoft 2003 server.  Its free and works great.  There is some configuration on the Microsoft server, but I wanted to concentrate on the ASA configuration.  Ill assume that you have remote-access already setup on your ASA.  I think Ive covered it extensively already on this site. So here is what I did on the ASA for the integration with Active Directory.

tunnel-group testusergroup general-attributes
 address-pool remote-access-pool
 authentication-server-group LDAP_SRV_GRP
 default-group-policy testusergroup

aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 192.168.1.2
 server-port 389
 ldap-base-dn dc=test, dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password ADpassword
 ldap-login-dn skillen@test.com
 server-type microsoft

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.