Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Remote Access VPN Authentication via AD Groups

Posted on 2014-04-03
8
Medium Priority
?
986 Views
Last Modified: 2014-04-07
Hi,

Need to use AD to define which users can gain access via the remote Access VPN client. Users are using the IPsec VPN client to gain access to the network and the ASA has a radius server configured pointing to the DC, which also has the NPS role Installed. I would like to use a specific group in AD to filter who has access.
Can someone guide me on how this can be achieved as I have tried creating separate connections request policy and network policy with one specific AD group defined, but it doesnt work.

There is already one (looks like default) connection request policy called Use Windows Authentication for all users.

I have read that I can set up the same server as LDAP server on the ASA and use the ASA to query AD somehow but wanted to ask if someone can help without doing this as will be so much easier.
0
Comment
Question by:Strinalena
  • 5
  • 2
8 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39976991
probably the difference is in the aaa server you define.
below is the asa to AD and asa  to radius to ad.

(1)
there is a article depicting the flow and it is possible from asa to perform the ldap auth, you will need to
a) create an LDAP attribute map which maps customer-defined attribute names to Cisco LDAP attribute names.
b) configure one server group as an authentication server group containing an authentication server that requests an LDAP search of the user records
c) create an external group-policy that associates the group-name with the LDAP authorization server
d) create a tunnel group that specifies LDAP authentication

Another article showing the CLI

aaa-server ldap-auth (Engineering) host 192.168.x.x
 server-port 389
 ldap-base-dn OU=people,DC=company,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password ************
 ldap-login-dn CN=ldap,CN=Users,DC=company,DC=com
 ldap-attribute-map LDAP_memberOf
 
 ldap attribute-map LDAP_memberOf
  map-name  memberOf Group-Policy
  map-value memberOf CN=vpn_users,OU=people,DC=company,DC=com Company-VPN

group-policy Company-VPN internal
group-policy Company-VPN attributes
 dns-server value 192.168.x.x
 vpn-filter value EngineeringVPN-in
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Company-VPN_splitTunnelAcl
 default-domain value company.com

tunnel-group Company-VPN type remote-access
tunnel-group Company-VPN general-attributes
 address-pool EngineeringVPN
 authentication-server-group ldap-auth
 default-group-policy NoAccess

(2)
(pdf) Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA - for this case it is using RADIUS enabled on the ASA to the LDAP AD server
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.10.40
 timeout 5
 key ASA123

group-policy remote attributes
 wins-server value 192.168.1.90
 dns-server value 192.168.1.90
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 pfs enable
 default-domain value YourCompany.com

tunnel-group remote general-attributes
 address-pool remote-vpnpool
 authentication-server-group partnerauth
 default-group-policy remote
0
 

Author Comment

by:Strinalena
ID: 39977409
I have done the second configuration on the ASA but then there is work to be done on the NPS which doesnt work at the moment.

Am trying to avoid the first configuration if the second one can be set to work
0
 

Author Comment

by:Strinalena
ID: 39977694
The issue was with the Users' AC accounts. The setting Control Access through NPS Network Policy was set to Allow instead of Control via policy
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:Strinalena
ID: 39977976
I've requested that this question be closed as follows:

Accepted answer: 0 points for Strinalena's comment #a39977694

for the following reason:

Sorted
0
 

Author Comment

by:Strinalena
ID: 39977695
Sorted
0
 
LVL 65

Expert Comment

by:btan
ID: 39977978
I have hope that the sharing has helped and as the initial query did not mentioned any errors hence thought you are looking at the different option to explore. If that has helped or given appropriate option, I hope you can kindly acknowledged so others can benefit the community - it seems that the question and answer is "abandoned"
0
 

Author Closing Comment

by:Strinalena
ID: 39982344
Thanks
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question