Configure ASA 5520 VPN to use AD authentication using LDAP

Posted on 2009-05-01
Last Modified: 2013-12-24
We have an existing ASA 5520 in place we would like to configure the potential VPN users to be restricted to a group in AD. How can this be accomplished, via LDAP? If so how does one configure this?
Question by:jmpatterson
    LVL 3

    Accepted Solution

    The LDAP specific configuration is not recommended due to two DoS vulnerabilities when the ASA is a VPN termination end-point.  See:


    Install Internet Authentication Service (IAS) on your Domain Controller and configure your ASA 5520 as a RADIUS Client.  Create a Remote Access Policy to restrict login access to the Group in AD.  Your users will connect to the VPN, receive an IP address in the local pool from the ASA, and be requested to provide username and password, which will be authenticated against the RADIUS server.

    Configure aaa RADIUS server host:

    # aaa-server RADIUS protocol radius  
    # aaa-server RADIUS max-failed-attempts 3  
    # aaa-server RADIUS deadtime 10  
    # aaa-server RADIUS (inside) host RADIUS_KEY timeout 10  

    Create an access-list for RADIUS auth:

    # access-list 100 permit ip <VPN LOCAL POOL> any

    Set aaa authentication to match the access list and use RADIUS to authenticate them

    # aaa authentication match 100 inbound RADIUS

    LVL 1

    Author Closing Comment

    We will move forward as per the solution. I will post any items of concern should there be any. Thanks for your help.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Suggested Solutions

    Entering a date in Microsoft Access can be tricky. A typo can cause month and day to be shuffled, entering the day only causes an error, as does entering, say, day 31 in June. This article shows how an inputmask supported by code can help the user a…
    This article explains all about SQL Server Piecemeal Restore with examples in step by step manner.
    Video by: Steve
    Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now