Solved

ASA5510 Using AD Authentication

Posted on 2010-08-12
22
936 Views
Last Modified: 2012-05-10
So we've set up our new ASA5510 with LDAP/AD authentication and it's working great. We're using the SSL Any Connect client. The only thing is it seems that every single AD user now has a VPN account which is a little scary. I'm not sure if I need an add-on to my AD for Cisco devices or what but I'm not sure how to make the ASA and my LDAP seemless. I don't want every AD user thinking they can suddenly jump on from home whenever they want. Where do I define security for the VPN within AD?
0
Comment
Question by:prlit
22 Comments
 
LVL 28

Expert Comment

by:bgoering
ID: 33430074
Check this article: http://blog.scottlowe.org/2005/11/22/cisco-pix-vpn-and-active-directory-integration/ It involves using IAS on Windows and controlling your remote access policies there. Probably easier than going straigt to LDAP

Good Luck
0
 
LVL 1

Author Comment

by:prlit
ID: 33430611
Yea, should have mentioned that we're using Server 2008. Sorry!
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33431745
It is still a doable thing. In 2008 IAS was replaced with NPS (Network Policy Server) - it still offers RADIUS server functionality. See http://technet.microsoft.com/en-us/network/bb629414.aspx

"Network Policy Server
Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.


As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP)."

The page has links to the documentation you need.

Good Luck
0
 

Expert Comment

by:Abruhn
ID: 33444874
You can use certificates.

Then you know only PC's with the right certificate can do VPN.

0
 
LVL 1

Author Comment

by:prlit
ID: 33455691
Totally got it working with NPS! However one small issue - I can basically allow/deny and nothing else. I don't know how to enforce the VPN group policy based on their AD containers.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33457294
Are you trying to do the health checking for Network Access Protection? Not sure I understand what it is you can't do. I believe you have to run an agent of the users PC for NAP. Take a look at http://www.microsoft.com/presspass/events/ssc/docs/CiscoMSNACWP.pdf for an overview.

Good Luck
0
 
LVL 1

Author Comment

by:prlit
ID: 33457304
No I'm using the NPS to either grant or deny VPN access.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33457388
I guess I don't understand what you are trying to do. You said " I can basically allow/deny and nothing else. I don't know how to enforce the VPN group policy based on their AD containers."

What group policy settings are you trying to enforce?

When the user logs in through the VPN it is the ASA that is interfacing with NPS to decide whether or not to allow access and it sounds like you have that working.

Thus, once the user is logged in to the VPN he/she is not necessarily logged into the domain. (1) The remote workstation must be part of the domain, (2) the user must be logged into the workstation using domain credentials, and (3) you will need to force a gpupdate command to run in order to refresh group policy on the remote workstation.

In order to do that you need to run an agent on the remote workstation that interfaces with the Network Access Protection piece referenced above.
0
 
LVL 1

Author Comment

by:prlit
ID: 33457414
I'm sorry maybe I can explain it better.

UserA  needs to VPN in and see Servers 1, 2, and 3
UserB need to only see Server 2 and should not be allowed to see server 1 or 3.

It's basically the split_tunnel list. Right now with the IPSEC client - the .pcf file determines which ASA Group Policy to use. With the NPS - the user can see the entire network.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33457843
Hmmm, take a look at http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/ and see if that is what you have in mind.

"VPN setup shows how to use IAS with VPN concentrator, ASA, or PIX. Basically, every vpn user connects with the same PCF file and enters into a group. When their username gets authenticated with ActiveDirectory, AD returns a group name to the CVPN/ASA/PIX and the pix puts them in that group."

Should be easily adaptable to NPS RADIUS functions.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:prlit
ID: 33480634

I'm getting a little confused here:

Login to Domain Controller
- go to: Active Director Users and Computers
- OU: austin.mgam > Radius
- add group
- “g_Radius_VPN
- OU: austin.mgam > Vendor
- add user
- User name:
- next
- password: [user password]
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33485462
I assummed the austin.mgam was the name of his AD domain. He created OUs for Radius and Vendor, then groups/users within those containers.
0
 
LVL 1

Author Comment

by:prlit
ID: 33501585
So how do I specify IP's that can/cannot be accessed in those containers?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33501776
You would create seperate AD groups for the users that you wish to assign to certain ranges. Created associated groups and policies on the ASA, then associate the AD groups to the ASA groups based on the users AD Group and NPS Dial in policy
0
 
LVL 1

Author Comment

by:prlit
ID: 33501788
Yea, I guess that what I'm looking to do but not sure how.
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33502834
Look at http://fixingit.wordpress.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/

From the earlier article (http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/)

1. configuration > policy mgmt > traffic mgmt > network lists and add group and split tunneling attributes.
2. repeat step 1 as desired for different split tunneling attributes - associate with different groups
3. do the "AD User / Group Setup", repeat for each different group created above
4. do the "Radius / IAS Setup example" on NPS (steps might be a little different no NPS), again repeat for each group association above. Note that each NPS policy will return a radius custom attibute to the ASA to associate what network list/split tunneling policy should be inforced

User logs on
ASA checks credentials
NPS determines by group membership where user belongs
NPS returns custom attribute to ASA (defined in step 4 above)
ASA applies proper split tunnel conditions to client based on NPS attribute returned

Good Luck
NPS
0
 
LVL 1

Author Comment

by:prlit
ID: 33526500
I'm sorry - I feel so bad saying this but I can't even find: "configuration > policy mgmt > traffic mgmt " on my ASA.

I'm shocked after spending so much time looking for instructions that this isn't a more common scenario.
0
 
LVL 1

Author Comment

by:prlit
ID: 33526514
I must say - that second link - is exactly how I got it working. I just don't know how to apply an ACL or a split_tunnel list to each policy.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33526718
I believe  that assumes you are using ASDM to configure the ASA to find the policy management features.
0
 
LVL 1

Author Comment

by:prlit
ID: 33531885
Yes I am. Thanks.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34376015
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now