Configure Cisco ASA remote access VPN with Active Directory authentication
The following modification to the ASA device allows VPN users to authenticate against their Windows domain passwords on either ldap1.domain.local
or ldap2.domain.local
. Before the authentication query is performed, the ASA connects to the domain via cn=Windows Name, CN=Users, DC=domain, DC=local
and the associated password. Valid VPN users are members of the AD security group CN=VPN users,OU=Security,DC=domain,DC=local
.
NB: Correct LDAP distinguised names are a PITA to find. The command line tool dsquery is extremely helpful. For example, if the sAM account name (sAMAccountName) in question is windowsname
, then the following will show its distinguished name:
dsquery user -samid windowsname
The distinguished name for the security group could also be found with dsquery – note the quotation marks necessary to handle the group name that includes a space:
dsquery group -samid “VPN users”
AAA Server configuration
In the following configuration steps, replace the 192.168.x.x
addresses with the addresses of the two LDAP servers. The attribute map ASAMAP
determines which active directory security group’s members are allowed to connect to the VPN.
plainville-asa(config)# sh run aaa-server LDAP
aaa-server LDAP protocol ldap
aaa-server LDAP host 192.168.x.x
ldap-base-dn dc=domain, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=Windows Name, CN=Users, DC=domain, DC=local
server-type microsoft
ldap-attribute-map ASAMAP
aaa-server LDAP host 192.168.x.x
ldap-base-dn dc=domain, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=Windows Name,CN=Users,DC=pmc,DC=local
server-type microsoft
ldap-attribute-map ASAMAP
LDAP attribute map
Replace the value ASAGroupPolicyName
with the VPN group policy which will use the LDAP authentication.
plainville-asa(config)# sh run ldap
ldap attribute-map ASAMAP
map-name memberOf cVPN3000-IETF-Radius-Class
map-value memberOf "CN=VPN users,OU=Security,DC=domain,DC=local" ASAGroupPolicyName