Solved

Remote Access VPN Authentication via AD Groups

Posted on 2014-04-03
8
943 Views
Last Modified: 2014-04-07
Hi,

Need to use AD to define which users can gain access via the remote Access VPN client. Users are using the IPsec VPN client to gain access to the network and the ASA has a radius server configured pointing to the DC, which also has the NPS role Installed. I would like to use a specific group in AD to filter who has access.
Can someone guide me on how this can be achieved as I have tried creating separate connections request policy and network policy with one specific AD group defined, but it doesnt work.

There is already one (looks like default) connection request policy called Use Windows Authentication for all users.

I have read that I can set up the same server as LDAP server on the ASA and use the ASA to query AD somehow but wanted to ask if someone can help without doing this as will be so much easier.
0
Comment
Question by:Strinalena
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39976991
probably the difference is in the aaa server you define.
below is the asa to AD and asa  to radius to ad.

(1)
there is a article depicting the flow and it is possible from asa to perform the ldap auth, you will need to
a) create an LDAP attribute map which maps customer-defined attribute names to Cisco LDAP attribute names.
b) configure one server group as an authentication server group containing an authentication server that requests an LDAP search of the user records
c) create an external group-policy that associates the group-name with the LDAP authorization server
d) create a tunnel group that specifies LDAP authentication

Another article showing the CLI

aaa-server ldap-auth (Engineering) host 192.168.x.x
 server-port 389
 ldap-base-dn OU=people,DC=company,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password ************
 ldap-login-dn CN=ldap,CN=Users,DC=company,DC=com
 ldap-attribute-map LDAP_memberOf
 
 ldap attribute-map LDAP_memberOf
  map-name  memberOf Group-Policy
  map-value memberOf CN=vpn_users,OU=people,DC=company,DC=com Company-VPN

group-policy Company-VPN internal
group-policy Company-VPN attributes
 dns-server value 192.168.x.x
 vpn-filter value EngineeringVPN-in
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Company-VPN_splitTunnelAcl
 default-domain value company.com

tunnel-group Company-VPN type remote-access
tunnel-group Company-VPN general-attributes
 address-pool EngineeringVPN
 authentication-server-group ldap-auth
 default-group-policy NoAccess

(2)
(pdf) Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA - for this case it is using RADIUS enabled on the ASA to the LDAP AD server
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.10.40
 timeout 5
 key ASA123

group-policy remote attributes
 wins-server value 192.168.1.90
 dns-server value 192.168.1.90
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 pfs enable
 default-domain value YourCompany.com

tunnel-group remote general-attributes
 address-pool remote-vpnpool
 authentication-server-group partnerauth
 default-group-policy remote
0
 

Author Comment

by:Strinalena
ID: 39977409
I have done the second configuration on the ASA but then there is work to be done on the NPS which doesnt work at the moment.

Am trying to avoid the first configuration if the second one can be set to work
0
 

Author Comment

by:Strinalena
ID: 39977694
The issue was with the Users' AC accounts. The setting Control Access through NPS Network Policy was set to Allow instead of Control via policy
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Strinalena
ID: 39977976
I've requested that this question be closed as follows:

Accepted answer: 0 points for Strinalena's comment #a39977694

for the following reason:

Sorted
0
 

Author Comment

by:Strinalena
ID: 39977695
Sorted
0
 
LVL 64

Expert Comment

by:btan
ID: 39977978
I have hope that the sharing has helped and as the initial query did not mentioned any errors hence thought you are looking at the different option to explore. If that has helped or given appropriate option, I hope you can kindly acknowledged so others can benefit the community - it seems that the question and answer is "abandoned"
0
 

Author Closing Comment

by:Strinalena
ID: 39982344
Thanks
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question