cisco asa remote access vpn active directory authentication

How do I configure remote access VPN in ASA?

Remote Access VPN Configuration ASA Configuration Tunnel Group The parameters for Remote Access Connections are configured in Tunnel Groups. To create a Tunnel Group to support CAC authentication, choose VPN > General > Tunnel Group and add a new Tunnel Group. The Basic settings can use the Default Group Policy or another Group Policy as needed.

How do I configure Active Directory to authenticate to a VPN?

Enter the ASA's IP address as a Client IPv4 Address condition. Enter the Active Directory user group which contains VPN users. Click the Constraints tab. Choose Authentication Methods.

How do I set up AnyConnect as a service to Asa?

Firstly you need to create a ‘service account’ in Active Directory that the ASA will use, it only need to be able to browse the AD, so a simple Domain User is fine. Then create a user group that you want to grant AnyConnect Access to;

How does the ASA connect to Active Directory?

The ASA is configured to authenticate that user with the Microsoft Active Directory (AD)/LDAP server. The ASA binds to the LDAP server with the credentials configured on the ASA (admin in this case), and looks up the provided username. The admin user also obtains the appropriate credentials to list contents within Active Directory.

AAA Server configuration

In the following configuration steps, replace the 192.168.x.x addresses with the addresses of the two LDAP servers. The attribute map ASAMAP determines which active directory security group’s members are allowed to connect to the VPN.

LDAP attribute map

Replace the value ASAGroupPolicyName with the VPN group policy which will use the LDAP authentication.

What type of authentication does ASA use?

By default, the ASA uses the unencrypted Password Authentication Protocol (PAP) authentication type. This does not mean that the ASA sends the password in plain text when it sends the RADIUS REQUEST packet. Rather, the plaintext password is encrypted with the RADIUS shared secret.

What is ASA in Windows 2008?

This document explains how to configure an Adaptive Security Appliance (ASA) to communicate with a Microsoft Windows 2008 Network Policy Server (NPS) with the RADIUS protocol so that the legacy Cisco VPN Client/AnyConnect/Clientless WebVPN users are authenticated against Active Directory. NPS is one of the server roles offered by Windows 2008 Server. It is equivalent to Windows 2003 Server, IAS (Internet Authentication Service), which is the implementation of a RADIUS server to provide remote dial-in user authentication. Similarly, in Windows 2008 Server, NPS is the implementation of a RADIUS server. Basically, the ASA is a RADIUS client to an NPS RADIUS server. ASA sends RADIUS authentication requests on behalf of VPN users and NPS authenticates them against Active Directory.

How to install NPS on Windows 2008?

If not, choose Start > Administrative Tools > Server Roles > Add Role Services. Choose the Network Policy Server and install the software. Once the NPS Server Role is installed, complete these steps in order to configure the NPS to accept and process RADIUS authentication requests from the ASA:

How to create a connection request policy in NPS?

Under NPS > Policies, right-click Connection Request Policies and create a new policy.

Which user group contains VPN users?

Enter the Active Directory user group which contains VPN users.

Can you add a group to Active Directory?

For example, you can add Active Directory user groups as a condition. Only those users who belong to a specified Windows group are authenticated under this policy.

Does ASA use PAP?

Note: The test aaa-server authentication command always uses PAP. Only when a user initiates a connection to tunnel-group with password-management enabled does the ASA use MSCHAP-v2. Also, the 'password-management [password-expire-in-days days]' option is only supported with Lightweight Directory Access Protocol (LDAP). RADIUS does not provide this feature. You will see the password expire option when the password is already expired in Active Directory.

How to control remote access VPN?

One method to control access to Remote Access VPN on the ASA is to use the Dial-in Access controls available in Active Directory. The ASA can interpret this value and make the appropriate authorization decision based on this value. There are three possible combinations for this checkbox. By setting the checkbox to Allow access or Control access through Remote Access Policy, access will be granted. Setting the checkbox to Deny access will deny access.

How does authentication work?

Authentication is easy. Authentication is simply validating that an entity is actually who they claim to be. In the case of PKI, we can guarantee that the entity that presents a certificate is who they say they are because they present their signed public certificate. Since the public certificate is signed by a trusted CA, the certificate is valid and the entity is verified. Authorization is another story. Just because an entity presents a valid certificate does not mean that entity should have access to a network device. If we were only to authenticate users presenting CACs, then every one of millions of CAC holders would have identical access to network resources. Authorization allows the supplied credentials during Authentication to be used to determine the entity rights to access a system. Unfortunately, the CAC certificates do not have very much identifying information. The only common user identity field among all of the certificates is the Subject Name. Unfortunately, the Subject Name consists of only the Common Name, and the various Organizational Unit (OU) fields. These fields do not provide any type of hierarchy to identify which organization the user belongs to.

How does CAC work in Active Directory?

When the Active Directory is CAC-enabled, the user must insert a CAC into the workstation reader and enter a PIN. The workstation then sends the PKI Credentials to the Active Directory using the Kerberos protocol. Refer to Microsoft’s Smart Card Logon White Paper available from http://www. microsoft.com/windows2000/docs/sclogonwp.doc for details. Once the user’s certificate is validated, the AD server uses the Principal Name taken from the SAN of the Signature Certificate to search for the user in the Active Directory and gain or deny access based on the settings found.

Can ASA use CAC?

Prior to version 7.2.., the ASA can only use fields from the Subject Name of the certificate for authorization. With version 7.2.. of ASA, the Principal Name field can be extracted from the Subject Alternative Name field on the certificate, allowing the CAC to be used for authorization.

Can you modify Active Directory?

In most cases, the Active Directory can be used with little or no modification. However, setting a few optional components can greatly enhance the customizability of the solution.

Does Active Directory require a Smart Card?

Because the box is checked for the setting Smart card is required for interactive logon, it effectively eliminates the password from the user account. Kerberos authentication and authorization is impossible. Fortunately, Active Directory allows for Lightweight Directory Access Protocol (LDAP) queries against the database. The LDAP structure for a typical AD user record is illustrated in Figure . With the use of LDAP Authorization, the problem of all CAC users having access to the ASA VPN is eliminated. Only users that are in the Active Directory will have access to the ASA.

What is the second command in ASA?

The second command will bring you to the aaa-server-host configuration mode. In this mode, you need to define the parameters that ASA will use to communicate with the LDAP server. You will need to configure the following parameters at the least:

What level of debug is used for ASA?

If your configuration does not work correctly, then you can use level 255 ldap debugs on ASA (debug ldap 255) and the following three-step approach to find the problem area:

What is LDAP login DN?

ldap-login-dn -The Distinguished Name (DN) for the admin account or any account in the directory which can login, search and retrieve account information from the directory. ASA will login to the directory using this account to search for the user. Since AD is being used, you can specify the username in the UPN format also.

What is ldap-scope?

ldap-scope- This defines whether ASA will look at the base DN level or go below the base DN level to search for the user accounts.

Can LDAP be used on any other server?

Though this article focuses on Active Directory as a LDAP server, the information can be easily applied to any other LDAP server without any change . In the next part of the series, we will look at authorization of VPN users using LDAP attributes and attribute maps.

What is the primary source of authentication in RA VPN?

In the RA VPN configuration, select the authentication method. The Primary Indeity Source for User Authentication must be the AD.

How to configure Identity Rule?

In order to configure the Identity rule, navigate to Policies > Identity > select

Why does ASA use LDAP?

In this example, the ASA checks with an LDAP server in order to verify the identity of users that it authenticates. This process does not work like a traditional Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) exhange. These steps explain, at a high level, how the ASA uses an LDAP server in order to check user credentials.

What is ASA in AD?

The ASA is configured to authenticate that user with the Microsoft Active Directory (AD)/LDAP server.

What is a login DN?

Login DN —the DN with enough privileges in order to be able to search/lread/lookup users in the LDAP server

What is LDAP 255?

The debug ldap 255 command can help to troubleshoot authentication problems in this scenario. This command enables LDAP debugging and allows you to watch the process that the ASA uses to connect to the LDAP server. This outputs show the ASA connect to the LDAP server as outlined in the Background Information section of this document.

How to verify LDAP?

Verify your LDAP configuration with the Test button on the AAA Server Groups configuration screen. Once you supply a username and password, this button allows you to send a test authentication request to the LDAP server.

What is the DN in LDAP?

Base DN —the location in the LDAP hierarchy where the server must begin to search

What is the interface name of a LDAP server?

Interface Name —the interface that the ASA uses in order to reach the LDAP server. Server Name or IP address —the address that the ASA uses in order to reach the LDAP server. Server Type —the type of LDAP server, such as Microsoft. Base DN —the location in the LDAP hierarchy where the server must begin to search.

Can domain users authenticate?

Note: At this point ALL DOMAIN USERS can successfully authenticate, to lock it down to one domain security group, either apply a Dynamic Access Policy (these can only be done in the ASDM). or skip further down, to edit and create your group-policies and use an attribute-map.

Can ASA use a domain user?

Firstly you need to create a ‘service account’ in Active Directory that the ASA will use, it only need to be able to browse the AD, so a simple Domain User is fine.