ASA5510 Using AD Authentication

So we've set up our new ASA5510 with LDAP/AD authentication and it's working great. We're using the SSL Any Connect client. The only thing is it seems that every single AD user now has a VPN account which is a little scary. I'm not sure if I need an add-on to my AD for Cisco devices or what but I'm not sure how to make the ASA and my LDAP seemless. I don't want every AD user thinking they can suddenly jump on from home whenever they want. Where do I define security for the VPN within AD?
LVL 1
prlitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bgoeringCommented:
Check this article: http://blog.scottlowe.org/2005/11/22/cisco-pix-vpn-and-active-directory-integration/ It involves using IAS on Windows and controlling your remote access policies there. Probably easier than going straigt to LDAP

Good Luck
0
prlitAuthor Commented:
Yea, should have mentioned that we're using Server 2008. Sorry!
0
bgoeringCommented:
It is still a doable thing. In 2008 IAS was replaced with NPS (Network Policy Server) - it still offers RADIUS server functionality. See http://technet.microsoft.com/en-us/network/bb629414.aspx

"Network Policy Server
Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.


As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP)."

The page has links to the documentation you need.

Good Luck
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

AbruhnCommented:
You can use certificates.

Then you know only PC's with the right certificate can do VPN.

0
prlitAuthor Commented:
Totally got it working with NPS! However one small issue - I can basically allow/deny and nothing else. I don't know how to enforce the VPN group policy based on their AD containers.
0
bgoeringCommented:
Are you trying to do the health checking for Network Access Protection? Not sure I understand what it is you can't do. I believe you have to run an agent of the users PC for NAP. Take a look at http://www.microsoft.com/presspass/events/ssc/docs/CiscoMSNACWP.pdf for an overview.

Good Luck
0
prlitAuthor Commented:
No I'm using the NPS to either grant or deny VPN access.
0
bgoeringCommented:
I guess I don't understand what you are trying to do. You said " I can basically allow/deny and nothing else. I don't know how to enforce the VPN group policy based on their AD containers."

What group policy settings are you trying to enforce?

When the user logs in through the VPN it is the ASA that is interfacing with NPS to decide whether or not to allow access and it sounds like you have that working.

Thus, once the user is logged in to the VPN he/she is not necessarily logged into the domain. (1) The remote workstation must be part of the domain, (2) the user must be logged into the workstation using domain credentials, and (3) you will need to force a gpupdate command to run in order to refresh group policy on the remote workstation.

In order to do that you need to run an agent on the remote workstation that interfaces with the Network Access Protection piece referenced above.
0
prlitAuthor Commented:
I'm sorry maybe I can explain it better.

UserA  needs to VPN in and see Servers 1, 2, and 3
UserB need to only see Server 2 and should not be allowed to see server 1 or 3.

It's basically the split_tunnel list. Right now with the IPSEC client - the .pcf file determines which ASA Group Policy to use. With the NPS - the user can see the entire network.
0
bgoeringCommented:
Hmmm, take a look at http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/ and see if that is what you have in mind.

"VPN setup shows how to use IAS with VPN concentrator, ASA, or PIX. Basically, every vpn user connects with the same PCF file and enters into a group. When their username gets authenticated with ActiveDirectory, AD returns a group name to the CVPN/ASA/PIX and the pix puts them in that group."

Should be easily adaptable to NPS RADIUS functions.
0
prlitAuthor Commented:

I'm getting a little confused here:

Login to Domain Controller
- go to: Active Director Users and Computers
- OU: austin.mgam > Radius
- add group
- “g_Radius_VPN
- OU: austin.mgam > Vendor
- add user
- User name:
- next
- password: [user password]
0
bgoeringCommented:
I assummed the austin.mgam was the name of his AD domain. He created OUs for Radius and Vendor, then groups/users within those containers.
0
prlitAuthor Commented:
So how do I specify IP's that can/cannot be accessed in those containers?
0
bgoeringCommented:
You would create seperate AD groups for the users that you wish to assign to certain ranges. Created associated groups and policies on the ASA, then associate the AD groups to the ASA groups based on the users AD Group and NPS Dial in policy
0
prlitAuthor Commented:
Yea, I guess that what I'm looking to do but not sure how.
0
bgoeringCommented:
Look at http://fixingit.wordpress.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/

From the earlier article (http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/)

1. configuration > policy mgmt > traffic mgmt > network lists and add group and split tunneling attributes.
2. repeat step 1 as desired for different split tunneling attributes - associate with different groups
3. do the "AD User / Group Setup", repeat for each different group created above
4. do the "Radius / IAS Setup example" on NPS (steps might be a little different no NPS), again repeat for each group association above. Note that each NPS policy will return a radius custom attibute to the ASA to associate what network list/split tunneling policy should be inforced

User logs on
ASA checks credentials
NPS determines by group membership where user belongs
NPS returns custom attribute to ASA (defined in step 4 above)
ASA applies proper split tunnel conditions to client based on NPS attribute returned

Good Luck
NPS
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
prlitAuthor Commented:
I'm sorry - I feel so bad saying this but I can't even find: "configuration > policy mgmt > traffic mgmt " on my ASA.

I'm shocked after spending so much time looking for instructions that this isn't a more common scenario.
0
prlitAuthor Commented:
I must say - that second link - is exactly how I got it working. I just don't know how to apply an ACL or a split_tunnel list to each policy.
0
bgoeringCommented:
I believe  that assumes you are using ASDM to configure the ASA to find the policy management features.
0
prlitAuthor Commented:
Yes I am. Thanks.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.