Configuring Cisco ASA VPN with Active Directory Authentication

I recently deployed a Cisco ASA 5510 as VPN solution. We were replacing an old SideWinder VPN. There were a few post out on the internet, but I didn’t find a good step-by-step how to guide, so I figured I’d write one.

This tutorial assumes a few things:

  • You have a working VPN tunnel using local authentication – You can use the VPN Wizard to do this. I will user connection profile “Test.”
  • You have created a Active Directory Group – I will user VPN USERS in this example.
  • You have created a read-only Active Directory user – I will use vpn user in this example.
  • You have the DN’s for both the vpn user, and your base DN. You can use dsquery to obtain them – I will use the domain cisco.com in this example.

This configuration was performed on an ASA 5510 and and ASA 5505 version 8.2(2) with ASDM 6.25.

Adding the Active Directory server to the ASA

  • On ASDM navigate to Configuration –>Remote Access VPN –>AAA/Local Users –>AAA Server Groups
  • Under AAA Server Groups click add.
  • Under name, give it a name. Select LDAP for the protocol.
  • Select Reactivation mode Depletion.
  • Dead Time 10 Minutes.
  • Max Failed Attempts 3.
  • Click OK and then click apply.

  • Highlight the new server you just created, and click add under Servers in the Selected Group.
  • Select the interface in which the server sits behind, this would normally be the inside interface.
  • Server Type: Microsoft.
  • Base DN: DC=<domain>,DC=<com> ie DC=cisco,DC=com, of course you would put your own domain instead of cisco.
  • Scope: All levels beneath the Base DN
  • Naming Attributes: sAMAccountName – be careful this is case sensitive.
  • Login:CN=vpn user,CN=Users,DC=CISCO,DC=COM – This is the user you created .
  • Login Password: Password for the user.
  • LDAP Attribute Map : None.
  • Leave the other LDAP Parameters blank and click OK and apply your configuration.

 

Adding the VPN Access Policy

  • Navigate to Configuration –> Remote Access VPN –> Network (Client) Access –> Dynamic Access Policies.
  • Select the DfltAccessPolicy and select edit.
  • Change the Action to Terminate, and click ok. This will deny any connection by default.
  • Click the Add button to create a new Access Policy.
  • Specify a description.
  • Under selection Criteria select User has ANY of the following Attributes, and click Add.
  • Under AAA Attribute Type select LDAP.
  • Attribute ID: memberOf, and click Get AD Groups
  • All your Active Directory groups should populate, select the VPN USERS Group, and click ok.

  • Under Action make sure continue is selected, and click ok and apply.

  • Navigate to Configuration –> Remote Access VPN –> IPsec Connection Profiles.
  • Either create a new profile or edit an existing profile.
  • Under Server Group, choose LDAP, this is the server we added earlier.

 

  • Click ok and apply your configuration.
  • At this point you should be able to VPN and Authenticate via Active Directory, provided you are a member of the VPN Users group.

Works well – Notes

7 thoughts on “Configuring Cisco ASA VPN with Active Directory Authentication

  1. Great job here, Joe. We really appreciate it. So many other items we came across were so convoluted. This hit the nail on the head and then some. Wish I could buy you a drink and shake your hand.

Leave a Reply

Your email address will not be published. Required fields are marked *