Solved

Remote Access VPN Authentication via AD Groups

Posted on 2014-04-03
8
867 Views
Last Modified: 2014-04-07
Hi,

Need to use AD to define which users can gain access via the remote Access VPN client. Users are using the IPsec VPN client to gain access to the network and the ASA has a radius server configured pointing to the DC, which also has the NPS role Installed. I would like to use a specific group in AD to filter who has access.
Can someone guide me on how this can be achieved as I have tried creating separate connections request policy and network policy with one specific AD group defined, but it doesnt work.

There is already one (looks like default) connection request policy called Use Windows Authentication for all users.

I have read that I can set up the same server as LDAP server on the ASA and use the ASA to query AD somehow but wanted to ask if someone can help without doing this as will be so much easier.
0
Comment
Question by:Strinalena
  • 5
  • 2
8 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39976991
probably the difference is in the aaa server you define.
below is the asa to AD and asa  to radius to ad.

(1)
there is a article depicting the flow and it is possible from asa to perform the ldap auth, you will need to
a) create an LDAP attribute map which maps customer-defined attribute names to Cisco LDAP attribute names.
b) configure one server group as an authentication server group containing an authentication server that requests an LDAP search of the user records
c) create an external group-policy that associates the group-name with the LDAP authorization server
d) create a tunnel group that specifies LDAP authentication

Another article showing the CLI

aaa-server ldap-auth (Engineering) host 192.168.x.x
 server-port 389
 ldap-base-dn OU=people,DC=company,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password ************
 ldap-login-dn CN=ldap,CN=Users,DC=company,DC=com
 ldap-attribute-map LDAP_memberOf
 
 ldap attribute-map LDAP_memberOf
  map-name  memberOf Group-Policy
  map-value memberOf CN=vpn_users,OU=people,DC=company,DC=com Company-VPN

group-policy Company-VPN internal
group-policy Company-VPN attributes
 dns-server value 192.168.x.x
 vpn-filter value EngineeringVPN-in
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Company-VPN_splitTunnelAcl
 default-domain value company.com

tunnel-group Company-VPN type remote-access
tunnel-group Company-VPN general-attributes
 address-pool EngineeringVPN
 authentication-server-group ldap-auth
 default-group-policy NoAccess

(2)
(pdf) Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA - for this case it is using RADIUS enabled on the ASA to the LDAP AD server
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.10.40
 timeout 5
 key ASA123

group-policy remote attributes
 wins-server value 192.168.1.90
 dns-server value 192.168.1.90
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 pfs enable
 default-domain value YourCompany.com

tunnel-group remote general-attributes
 address-pool remote-vpnpool
 authentication-server-group partnerauth
 default-group-policy remote
0
 

Author Comment

by:Strinalena
ID: 39977409
I have done the second configuration on the ASA but then there is work to be done on the NPS which doesnt work at the moment.

Am trying to avoid the first configuration if the second one can be set to work
0
 

Author Comment

by:Strinalena
ID: 39977694
The issue was with the Users' AC accounts. The setting Control Access through NPS Network Policy was set to Allow instead of Control via policy
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Strinalena
ID: 39977976
I've requested that this question be closed as follows:

Accepted answer: 0 points for Strinalena's comment #a39977694

for the following reason:

Sorted
0
 

Author Comment

by:Strinalena
ID: 39977695
Sorted
0
 
LVL 61

Expert Comment

by:btan
ID: 39977978
I have hope that the sharing has helped and as the initial query did not mentioned any errors hence thought you are looking at the different option to explore. If that has helped or given appropriate option, I hope you can kindly acknowledged so others can benefit the community - it seems that the question and answer is "abandoned"
0
 

Author Closing Comment

by:Strinalena
ID: 39982344
Thanks
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now