Remote Access VPN Authentication via AD Groups

Hi,

Need to use AD to define which users can gain access via the remote Access VPN client. Users are using the IPsec VPN client to gain access to the network and the ASA has a radius server configured pointing to the DC, which also has the NPS role Installed. I would like to use a specific group in AD to filter who has access.
Can someone guide me on how this can be achieved as I have tried creating separate connections request policy and network policy with one specific AD group defined, but it doesnt work.

There is already one (looks like default) connection request policy called Use Windows Authentication for all users.

I have read that I can set up the same server as LDAP server on the ASA and use the ASA to query AD somehow but wanted to ask if someone can help without doing this as will be so much easier.
StrinalenaAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
probably the difference is in the aaa server you define.
below is the asa to AD and asa  to radius to ad.

(1)
there is a article depicting the flow and it is possible from asa to perform the ldap auth, you will need to
a) create an LDAP attribute map which maps customer-defined attribute names to Cisco LDAP attribute names.
b) configure one server group as an authentication server group containing an authentication server that requests an LDAP search of the user records
c) create an external group-policy that associates the group-name with the LDAP authorization server
d) create a tunnel group that specifies LDAP authentication

Another article showing the CLI

aaa-server ldap-auth (Engineering) host 192.168.x.x
 server-port 389
 ldap-base-dn OU=people,DC=company,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password ************
 ldap-login-dn CN=ldap,CN=Users,DC=company,DC=com
 ldap-attribute-map LDAP_memberOf
 
 ldap attribute-map LDAP_memberOf
  map-name  memberOf Group-Policy
  map-value memberOf CN=vpn_users,OU=people,DC=company,DC=com Company-VPN

group-policy Company-VPN internal
group-policy Company-VPN attributes
 dns-server value 192.168.x.x
 vpn-filter value EngineeringVPN-in
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Company-VPN_splitTunnelAcl
 default-domain value company.com

tunnel-group Company-VPN type remote-access
tunnel-group Company-VPN general-attributes
 address-pool EngineeringVPN
 authentication-server-group ldap-auth
 default-group-policy NoAccess

(2)
(pdf) Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA - for this case it is using RADIUS enabled on the ASA to the LDAP AD server
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.10.40
 timeout 5
 key ASA123

group-policy remote attributes
 wins-server value 192.168.1.90
 dns-server value 192.168.1.90
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 pfs enable
 default-domain value YourCompany.com

tunnel-group remote general-attributes
 address-pool remote-vpnpool
 authentication-server-group partnerauth
 default-group-policy remote
0
 
StrinalenaAuthor Commented:
I have done the second configuration on the ASA but then there is work to be done on the NPS which doesnt work at the moment.

Am trying to avoid the first configuration if the second one can be set to work
0
 
StrinalenaAuthor Commented:
The issue was with the Users' AC accounts. The setting Control Access through NPS Network Policy was set to Allow instead of Control via policy
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
StrinalenaAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for Strinalena's comment #a39977694

for the following reason:

Sorted
0
 
StrinalenaAuthor Commented:
Sorted
0
 
btanExec ConsultantCommented:
I have hope that the sharing has helped and as the initial query did not mentioned any errors hence thought you are looking at the different option to explore. If that has helped or given appropriate option, I hope you can kindly acknowledged so others can benefit the community - it seems that the question and answer is "abandoned"
0
 
StrinalenaAuthor Commented:
Thanks
0
All Courses

From novice to tech pro — start learning today.