Configure ASA 5520 VPN to use AD authentication using LDAP

We have an existing ASA 5520 in place we would like to configure the potential VPN users to be restricted to a group in AD. How can this be accomplished, via LDAP? If so how does one configure this?
LVL 1
jmpattersonAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ccsistaffConnect With a Mentor Commented:
The LDAP specific configuration is not recommended due to two DoS vulnerabilities when the ASA is a VPN termination end-point.  See:

http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml

Alternatively:

Install Internet Authentication Service (IAS) on your Domain Controller and configure your ASA 5520 as a RADIUS Client.  Create a Remote Access Policy to restrict login access to the Group in AD.  Your users will connect to the VPN, receive an IP address in the local pool from the ASA, and be requested to provide username and password, which will be authenticated against the RADIUS server.

Configure aaa RADIUS server host:

# aaa-server RADIUS protocol radius  
# aaa-server RADIUS max-failed-attempts 3  
# aaa-server RADIUS deadtime 10  
# aaa-server RADIUS (inside) host 192.168.0.204 RADIUS_KEY timeout 10  

Create an access-list for RADIUS auth:

# access-list 100 permit ip <VPN LOCAL POOL> 255.255.255.0 any

Set aaa authentication to match the access list and use RADIUS to authenticate them

# aaa authentication match 100 inbound RADIUS

0
 
jmpattersonAuthor Commented:
We will move forward as per the solution. I will post any items of concern should there be any. Thanks for your help.
0
All Courses

From novice to tech pro — start learning today.