Solved

How to use Remote Access Permissions in AD to control Cisco SSL VPN access?

Posted on 2009-05-10
14
723 Views
Last Modified: 2012-06-27
I've successfully configured my ASA 5510 to use AD for authentication of my VPN users.  I'd like to tighten access down and use Remote Access Permissions in AD to control who can use the resource.  Can someone point me in the right direction?
0
Comment
Question by:jwixted
  • 6
  • 5
  • 2
14 Comments
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350667
User's properties, the dial-in tab.
0
 

Author Comment

by:jwixted
ID: 24350670
Right, I know how to SET the rights, how do I get the ASA to evaluate them...
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350675
oh, sorry... how do you have ISA configured? Is it set to pull a certain group with permissions, or just to authenticate the password against the domain controllers? Can you send a quick show run of the relevant part?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:jwixted
ID: 24350711
Currently, the ASA (not ISA) autenticates the users against AD - if they have an enabled AD user account, they get access, reguardless of the values in the Remote Access Permissions settings in AD.  Relevant (I think) section of the config (names & IPs modified):

aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.17.222.219
 nt-auth-domain-controller DC2
aaa-server ActiveDirectory (inside) host 10.17.222.211
 nt-auth-domain-controller DC1
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.17.222.219
 ldap-base-dn dc=mydomain.com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=vpnauth,OU=No Password Policy,DC=mydomain,DC=com
 server-type microsoft
 ldap-attribute-map ALLOWVPNACCESS
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350726
Simply disable the accounts at the end of the day

just kidding. It's msNPAllowDailin.
0
 

Author Comment

by:jwixted
ID: 24350746
:)  I'd disable all the users, all the time, if I thought I'd get away with it!

How would I use msNPAllowDialin?
0
 
LVL 5

Accepted Solution

by:
DTAHARLEV earned 125 total points
ID: 24350773
 map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
0
 

Author Comment

by:jwixted
ID: 24350805
So, just replace my:

ldap-attribute-map ALLOWVPNACCESS

with

map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS

Or do I need to create an ldap-attribute-map, and drop those commands into that?
0
 
LVL 5

Expert Comment

by:DTAHARLEV
ID: 24350813
got me there, not sure about the exact syntax. i believe you can just put it under what you have, the existing map.
0
 
LVL 2

Assisted Solution

by:ibiadmin6
ibiadmin6 earned 125 total points
ID: 24351012
We use AD groups to Auth to Cisco ASA's. I did not do the Cisco end, but basically you create an AD group and a Cisco ASA group. You then Map the Cisco group to the AD group. Then you apply your cisco rules and rights to the Cisco group whose members are AD group members.

Easier to audit this way, plus you can create multiple groups in AD and on Cisco and map them for different rules and rights while on a VPN connection.

By the way we created new AD security groups specific for the mapping to the Cisco groups. You can mail enable then also to send notifications such as maint. Times etc.
0
 
LVL 2

Expert Comment

by:ibiadmin6
ID: 24351015
Cisco has a .pdf with step by step procedures that we used for the ASA's.
0
 

Author Comment

by:jwixted
ID: 25164870
Sorry, my bad.  I'll close the question and split the points.
0
 

Author Closing Comment

by:jwixted
ID: 31579995
Applying your suggestions worked, but required a fair amount of additional research to implement.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Locate Source of Failed AD Authentication 7 21
Change name on 7940 Cisco UM 10 29
Replication problems 6 24
Microsoft DNS on Windows Server 2012 R2 12 19
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question