Techrunner
asked on
Cisco ASA LDAP Authentication for VPN and Management
Hello Experts
I am attempting to setup Microsoft LDAP authentication, for SSH/ADM access and VPN Users I have two issues here
- Firstly authentication is working for SSH and ASDM, however all users are authenticated regardless of security group membership.
- Secondly for VPN , I have a single tunnel-group and group policy, the LDAP authentication is working however the users are able to access everything in the inside network, is there a way to apply vpn-filter ACL per AD User.
This is my configuration
Appreciating any help.
Thanks
I am attempting to setup Microsoft LDAP authentication, for SSH/ADM access and VPN Users I have two issues here
- Firstly authentication is working for SSH and ASDM, however all users are authenticated regardless of security group membership.
- Secondly for VPN , I have a single tunnel-group and group policy, the LDAP authentication is working however the users are able to access everything in the inside network, is there a way to apply vpn-filter ACL per AD User.
This is my configuration
For Management Access
========================
aaa-server MGMT-ADAUTH protocol ldap
aaa-server MGMT-ADAUTH (inside) host 10.10.20.4
ldap-base-dn dc=dsfh,dc=com
ldap-login-dn CN=fwasa-ldap,OU=fwsecurity,DC=mycompany,DC=COM
ldap-login-password cisco
ldap-naming-attribute samAccountName
server-type microsoft
ldap-scope subtree
ldap-attribute-map NETWORK-MGMT
ldap attribute-map NETWORK-MGMT
map-name memberOf IETF-Radius-Service-Type
map-value memberOf "CN=networkadministrators,OU=fwsecurity,DC=mycompany,DC=COM" 6
For VPN Users
==============
aaa-server RA-VPN-ADAUTH protocol ldap
aaa-server RA-VPN-ADAUTH (inside) host 10.10.20.4
ldap-base-dn dc=dsfh,dc=com
ldap-login-dn CN=fwasa-ldap,OU=fwsecurity,DC=mycompany,DC=COM
ldap-login-password cisco
ldap-naming-attribute samAccountName
server-type microsoft
ldap-scope subtree
dynamic-access-policy-record RAVPN-DAP
description "Permit Remote Access VPN to RA-VPN-GRP Group in AD"
action terminate
Appreciating any help.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
I've used your link to configure the LDAP Authentication :0
I have created dynamic access policies if a member does not belong to security group, the connection will be terminated
However I am not sure how to create dynamic access policies for specific users to grant him access to specific servers.
I've used your link to configure the LDAP Authentication :0
I have created dynamic access policies if a member does not belong to security group, the connection will be terminated
However I am not sure how to create dynamic access policies for specific users to grant him access to specific servers.
Use the DAP to apply an ACL
P
P
ASKER
Thanks
Can you please help me with an example
Can you please help me with an example
ASKER
So I can do the following
- Create a security group on AD
- Create a DAP for each group
- Assign ACLs to DAP policies
- The ACLs will be for each group and bind to particular DAP
Please let me correct if I am wrong or have any suggestions
- Create a security group on AD
- Create a DAP for each group
- Assign ACLs to DAP policies
- The ACLs will be for each group and bind to particular DAP
Please let me correct if I am wrong or have any suggestions
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is it related with Management Access or VPN Users ?