Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASA5510 Using AD Authentication

Posted on 2010-08-12
22
941 Views
Last Modified: 2012-05-10
So we've set up our new ASA5510 with LDAP/AD authentication and it's working great. We're using the SSL Any Connect client. The only thing is it seems that every single AD user now has a VPN account which is a little scary. I'm not sure if I need an add-on to my AD for Cisco devices or what but I'm not sure how to make the ASA and my LDAP seemless. I don't want every AD user thinking they can suddenly jump on from home whenever they want. Where do I define security for the VPN within AD?
0
Comment
Question by:prlit
22 Comments
 
LVL 28

Expert Comment

by:bgoering
ID: 33430074
Check this article: http://blog.scottlowe.org/2005/11/22/cisco-pix-vpn-and-active-directory-integration/ It involves using IAS on Windows and controlling your remote access policies there. Probably easier than going straigt to LDAP

Good Luck
0
 
LVL 1

Author Comment

by:prlit
ID: 33430611
Yea, should have mentioned that we're using Server 2008. Sorry!
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33431745
It is still a doable thing. In 2008 IAS was replaced with NPS (Network Policy Server) - it still offers RADIUS server functionality. See http://technet.microsoft.com/en-us/network/bb629414.aspx

"Network Policy Server
Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.


As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP)."

The page has links to the documentation you need.

Good Luck
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Expert Comment

by:Abruhn
ID: 33444874
You can use certificates.

Then you know only PC's with the right certificate can do VPN.

0
 
LVL 1

Author Comment

by:prlit
ID: 33455691
Totally got it working with NPS! However one small issue - I can basically allow/deny and nothing else. I don't know how to enforce the VPN group policy based on their AD containers.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33457294
Are you trying to do the health checking for Network Access Protection? Not sure I understand what it is you can't do. I believe you have to run an agent of the users PC for NAP. Take a look at http://www.microsoft.com/presspass/events/ssc/docs/CiscoMSNACWP.pdf for an overview.

Good Luck
0
 
LVL 1

Author Comment

by:prlit
ID: 33457304
No I'm using the NPS to either grant or deny VPN access.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33457388
I guess I don't understand what you are trying to do. You said " I can basically allow/deny and nothing else. I don't know how to enforce the VPN group policy based on their AD containers."

What group policy settings are you trying to enforce?

When the user logs in through the VPN it is the ASA that is interfacing with NPS to decide whether or not to allow access and it sounds like you have that working.

Thus, once the user is logged in to the VPN he/she is not necessarily logged into the domain. (1) The remote workstation must be part of the domain, (2) the user must be logged into the workstation using domain credentials, and (3) you will need to force a gpupdate command to run in order to refresh group policy on the remote workstation.

In order to do that you need to run an agent on the remote workstation that interfaces with the Network Access Protection piece referenced above.
0
 
LVL 1

Author Comment

by:prlit
ID: 33457414
I'm sorry maybe I can explain it better.

UserA  needs to VPN in and see Servers 1, 2, and 3
UserB need to only see Server 2 and should not be allowed to see server 1 or 3.

It's basically the split_tunnel list. Right now with the IPSEC client - the .pcf file determines which ASA Group Policy to use. With the NPS - the user can see the entire network.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33457843
Hmmm, take a look at http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/ and see if that is what you have in mind.

"VPN setup shows how to use IAS with VPN concentrator, ASA, or PIX. Basically, every vpn user connects with the same PCF file and enters into a group. When their username gets authenticated with ActiveDirectory, AD returns a group name to the CVPN/ASA/PIX and the pix puts them in that group."

Should be easily adaptable to NPS RADIUS functions.
0
 
LVL 1

Author Comment

by:prlit
ID: 33480634

I'm getting a little confused here:

Login to Domain Controller
- go to: Active Director Users and Computers
- OU: austin.mgam > Radius
- add group
- “g_Radius_VPN
- OU: austin.mgam > Vendor
- add user
- User name:
- next
- password: [user password]
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33485462
I assummed the austin.mgam was the name of his AD domain. He created OUs for Radius and Vendor, then groups/users within those containers.
0
 
LVL 1

Author Comment

by:prlit
ID: 33501585
So how do I specify IP's that can/cannot be accessed in those containers?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33501776
You would create seperate AD groups for the users that you wish to assign to certain ranges. Created associated groups and policies on the ASA, then associate the AD groups to the ASA groups based on the users AD Group and NPS Dial in policy
0
 
LVL 1

Author Comment

by:prlit
ID: 33501788
Yea, I guess that what I'm looking to do but not sure how.
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33502834
Look at http://fixingit.wordpress.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/

From the earlier article (http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/)

1. configuration > policy mgmt > traffic mgmt > network lists and add group and split tunneling attributes.
2. repeat step 1 as desired for different split tunneling attributes - associate with different groups
3. do the "AD User / Group Setup", repeat for each different group created above
4. do the "Radius / IAS Setup example" on NPS (steps might be a little different no NPS), again repeat for each group association above. Note that each NPS policy will return a radius custom attibute to the ASA to associate what network list/split tunneling policy should be inforced

User logs on
ASA checks credentials
NPS determines by group membership where user belongs
NPS returns custom attribute to ASA (defined in step 4 above)
ASA applies proper split tunnel conditions to client based on NPS attribute returned

Good Luck
NPS
0
 
LVL 1

Author Comment

by:prlit
ID: 33526500
I'm sorry - I feel so bad saying this but I can't even find: "configuration > policy mgmt > traffic mgmt " on my ASA.

I'm shocked after spending so much time looking for instructions that this isn't a more common scenario.
0
 
LVL 1

Author Comment

by:prlit
ID: 33526514
I must say - that second link - is exactly how I got it working. I just don't know how to apply an ACL or a split_tunnel list to each policy.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33526718
I believe  that assumes you are using ASDM to configure the ASA to find the policy management features.
0
 
LVL 1

Author Comment

by:prlit
ID: 33531885
Yes I am. Thanks.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34376015
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question