Announcement

Collapse
No announcement yet.

ASA VPN with LDAP Authentication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA VPN with LDAP Authentication

    We currently use a Cisco ASA IPsec VPN client with RADIUS as a backend authentication service. We have configured IAS on one of our domain controllers to issue a RADIUS Accept/Deny based on the users' group membership within a "VPN Users" group. The IAS policy rules makes this very easy (it understands Windows group membership), and we like using groups because it is easy to send mail to all VPN users.

    The things we don't like about using RADIUS is the idea that IAS has to be configured as a middleman service, and sometimes IAS does not always successfully start after a system reboot (not sure why).

    We were wondering if it was possible to skip the middleman and use LDAP directly. There are many examples out on the net, but they consist of using an LDAP Attribute map to either the "Remote Access Permission" of the user's DialIn profile, or associating an AD group to a Cisco policy.

    The former does not fit our model because it bypasses the group membership concept and requires VPN control via profile. The latter does not fit because, while we do have a "VPN Users" group to map in the affirmative, we do not have an inverse to map to a Deny policy. There is no "NOT" logical operator in the LDAP Attribute mapping.

    Does anyone know a way to accomplish what we are after, using LDAP rather than RADIUS, where a single group can determine Accept (and absence equals Deny)?

  • #2
    Re: ASA VPN with LDAP Authentication

    This might be worth to review:
    http://www.cisco.com/en/US/products/...8060f261.shtml
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: ASA VPN with LDAP Authentication

      Thank you for responding Mr Moderator, but the generic Cisco document does not help. It describes the process for authenticating against *any* LDAP user, and I am well past that stage. I am attempting to restrict to a specific group. There are other more in-depth Cisco briefs that outline using msNPAllowDialin or group policy associations to further restrict beyond just a simple universal LDAP authentication. These would be helpful for anyone needing more than the basics. However, they too do not _quite_ fit my requirement.

      Comment


      • #4
        Re: ASA VPN with LDAP Authentication

        have no idea how ASA works, but if you can specify an LDAP filter for looking up the user accounts AND the users are direct members of "VPN Users" group (aka not members via nesting), then you can alter the filter to something like:

        "(&(sAMAccountname=<User>)(memberOf=cn=VPN Users,cn=Users,DC=domain,DC=local))"
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: ASA VPN with LDAP Authentication

          I use Cisco ACS to handle this. It's still a middleman software, but works a lot of better than IAS, IMO.
          MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

          Comment

          Working...
          X