How To: Configure ASA 5510, IPSEC VPN with AD Authentication 2

[digimahn]

Well this is my first post in over 6 years - WOW time flies!

I am needing some help and understanding. I have read so many Cisco pages and VPN posts here at Tek-Tips that I am seeing my life in NAT'd images with Crypto Maps and Access Lists applied to the images

I am looking for some lines that need to be specifically added to an ASA 5510 failover pair for IPSEC Cisco VPN Clients to connect to the ASA and authenticate against AD.

If possible I don't want to setup an IAS, ISA or RADIUS server (systems group controls that and I just don't have time for that).

I want to secure and log VPN connectivity for individual users. If each user needs his/her own vpn group and pre-shared key that is fine. What I want to do, within reason, is ensure one user can connect using a preconfigured connection - i.e. two people can't use same connection - if I give "bill" a pre-configured system and he connects to VPN with that system he needs to supply his AD username and password. The only way this could be used on another system by another user is if the PCF file and AD credentials are given to someone else.

I am hesitant to post configs only because I have such a hard time picking out the lines that pertain to what I want to do. If there is a way to just work with the appropriate config additions, I would appreciate it.

Thank you for your help in advance,
DigiMahn

 

[digimahn]

I think it would also be good to ask the following questions:

What should I do to protect the AD admin account required to be added to the config (if anything more)? Any restrictions on the AD account to limit what it can and can't do?

Can I use anything in AD to specify AD users that can authenticate via VPN? This one seems tricky to me, but I am sure if there's an answer some smart tek-tipper here knows

Thank you again and my appologies for not having this in my original post.
DigiMahn

 

[unclerico]

I'm not sure if you've seen this, but it contains pretty much everything you'll need to get this to work with LDAP:

http://www.box.net/shared/ad3bxdhplk

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[digimahn]

I have read that already and it was helpful, so i gave you a "thank you", but...I was hoping for something a little more in line with my question specifically.

If/When I get this whole thing finger'd out I will post my stuff here for everyone, maybe no one needs it...maybe they do. I sure could use the help, not because I can't do it, but for a little learning and comparison.

Thanks again,
DigiMahn

 

[stubnski]

Create an LDAP connection to your internal DNS, create address pool, create the VPN group, psk, assign ACL's. I find the GUI is the easiest for doing VPN's.

Stubnski

 

[digimahn]

stubnski and unclerico,

Thank you both for your help, but really, do you honestly believe you helped me. Look at my question. Clearly I do know (correction DID NOT now) how to do this and obviously Google is any IT guy/gal's best friend. Even my CCO login did not realy help me. Several requests to have my TAC configuration assistance case RE-queued went unanswered all day. Finally I got a hold of someone and guess what...he had just as much trouble!

I finally figured it out and I am beginning to understand why us Cisco IT folks keep this stuff close to the vest...there's good money to be made doing this.

But I ask you...even as a consultant, do you really think you can get to everyone there is out there that would want/need this.

The LDAP connection is not enough, you need an LDAP attribute map(s) that point to the AD group you want to allow in, but that's not enough, you also have to default the LDAP connection's attribute map to a "no access" attribute map. You want to know the kicker!? I can't find a document that cross references LDAP attributes to Cisco Attributes, not even an explanation anywhere.

If/when I get some time I am going to post something in the FAQ section because I think this would be used by several Admins, given a nice step-by-step were available. Most of us do not have the week+ it took me to get this done!

Thank you again, seriously. I am just upset because I come to these forums, rarely and when I do I offer solid help and rarely get any back. It's just frustrating!

DigiMahn

 

[stubnski]

digimahn,

Thank you for your kind words about being a greedy cisco tech. Sorry if I thought pointing you in the right direction might help you learn like you asked.

LDAP attributes used on the ASA are the same as in Windows.

Here is a quick run down of a few attributes on the LDAP list.

Server Port - 389
Server - Microsoft
Base DN - dc=myDomainName, dc=com <---myDomainName.com
scope all levels beneath the base DN
Naming Attribute - sAMAccountName <---AD user name.


Stubnski

 

[digimahn]

Touchy touchy stubs...notice I threw myself in there too.

This is exactly what I am talking about. You gave me the easy stuff.

What is often left out is that you have to map the Microsoft LDAP attribute to a compatible Cisco Attribute Map. Most people will use the "ietf-radius-class" per Cisco's documentation, BUT there is a bug with that and those with an up to date ASA/PIX are left hanging in the wind. A small and dang hard to find bug note tells you that the Cisco Attribute is now "Group-Policy"

In this case Microsoft's "samAccountName" which is the user logon name that is compatible all the way back to NT4 and Windows 95.
A great reference of all the attributes can be found here:

http://msdn.microsoft.com/en-us/library/ms675090(VS.85).aspx

After weeks and weeks of banging my head I finally figure it out. If you have this running then you know this is not well documented.

I appologize if you took offense to my comments and general tone of my responses, but anyone reading should see clearly there are NO answers here to help them should they come across this post in search of an answer to this very same question they now have!

See ya tek-tips...I am done here!