LDAP Authentication from ASA to Active Directory with VPN Group for AnyConnect or Cisco VPN Client

10. February 2014 Cisco ASA 8

Configure LDAP authentication instead of using Radius.  Using LDAP eliminates the issue of configuring IAS and/or Radius on the server.  It generally doesn’t require any additional server modifications unless you have your server locked down tight.

In this example we created a group in the root of the Active Directory domain called VPNUsers and users in that group we want to permit access to the VPN whether it be by AnyConnect or the old Cisco VPN Client IPSEC.  You also need to create a username & password in AD for the ASA to authenticate users off LDAP.  I’ve read where this user needs to have Admin rights, however I have used this exact configuration on both an Admin user and a Standard Domain User.

ldap attribute-map LDAPMAP
  map-name  memberOf IETF-Radius-Class

value memberOf CN=VPNUsers,DC=mydomain,DC=local  SSLClient

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.1.2.10
 ldap-base-dn dc=mydomain,dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn LDAPASA@mydomain.local
 server-type microsoft
 ldap-attribute-map LDAPMAP
 
group-policy SSLClient internal
group-policy SSLClient attributes
 dns-server value 10.1.2.10 10.1.2.11
 vpn-simultaneous-logins 5
 vpn-tunnel-protocol ssl-client
 default-domain value mydomain.local
 address-pools value vpnpool1
 
group-policy NoVPN internal
group-policy NoVPN attributes
 vpn-simultaneous-logins 0
 address-pools none
 
 tunnel-group SSLClient type remote-access
 tunnel-group SSLClient general-attributes
  authentication-server-group LDAP
 default-group-policy NoVPN

That should be about it.  You can test against LDAP by this example:

test aaa-server authentication LDAP host 10.1.2.10 username joeuser password blahblah

You can also debug LDAP from the ASA.

term mon
debug ldap 255

If LDAP continues to fail, make sure the group is correct in AD.
From the Windows Server, get to a DOS prompt and type “dsquery -group -name VPNUsers

It should give you an output similar to this:

“CN=VPNUsers,DC=mydomain,DC=local”

 

Good Luck!

 


8 thoughts on “LDAP Authentication from ASA to Active Directory with VPN Group for AnyConnect or Cisco VPN Client”

Leave a Reply