In this post I demonstrate how to configure the Cisco Adaptive Security Appliance (ASA) to use an LDAP server for authentication of WebVPN users. The LDAP server in this example is Microsoft Active Directory. In this example Lightweight Directory Access Protocol (LDAP) authentication is configured for WebVPN users, but this configuration can be used for all other types of remote access clients as well. Simply assign the AAA server group to the desired connection profile (tunnel group). 

Ok if you want to use AD we must use LDAP and in some cases we will have to configure an LDAP attribute-map…I have put together a sample config you can use. It’s a sample ldap aaa-server configuration. I put a (#x) where there is something you need to modify to be specific to your environment. There is an explanation for each number below.

aaa-server cisco protocol ldap
aaa-server cisco host 192.168.10.100 (#1)
  ldap-base-dn DC=6200networks,DC=com (#2)
  ldap-scope subtree
  ldap-naming-attribute samAccountName
  ldap-login-password adminpass (#3)
  ldap-login-dn CN=Administrator,CN=users,DC=6200networks,DC=com (#4)

tunnel-group mytunnelgroup general-attributes
  authentication-server-group cisco (#5)

#1 - replace 192.168.10.100 with the ip address of your aaa-server

#2 - this is where the asa is going to start its search for users it needs to authenticate. In my example we start at the top of the heirarchy (6200networks.com)

#3 - you need to have an administrative user setup on you AD so that we can bind with the AD and send user authentication requests. This is the password the admin user has.

#4 - This is the complete string of the admin user. To get the complete string go to the AD box, open a command prompt and run the dsquery command on the admin username (the asterisks broaden the search) dsquery user -name *Administrator*

#5 - replace mytunnelgroup with the name of your vpn tunnel-group

Now authentication is done via group attributes in AD in most instances via the dialin attributes msallowdialin attribute and using tunneling protocols attribute but I have some customers that would like to use the memberof attribute instead so that they can prevent members of other AD groups from connecting to the ASA…this can be done using LDAP schema 65 attribute mapping…for instance…the ASA/PIX uses the Cisco LDAP attribute
cVPN3000-IETF-Radius-Class to enforce policies from a specific group-policy for Remote Access VPN sessions (IPSec, SVC, WebVPN or Clientless). The LDAP attribute (65) is equivalent to Radius Class (25) attribute.

On the ASA create an ldap-attribute-map with  the minimum mapping and associate it with the ldap aaa-server.

5500-1(config-aaa-server-host)# show runn ldap
!
ldap attribute-map Map1
map-name  memberOf cVPN3000-IETF-Radius-Class
map-value memberOf CN=AD-Group1,CN=Users,DC=CompanyA,DC=com ASA-Group1-Allow-Access
map-value memberOf CN=AD-Group2,CN=Users,DC=CompanyA,DC=com ASA-Group2-Deny-Access
!
5500-1(config-aaa-server-host)# 

OK so what is being enforced with the above mapping?

1) user1 in AD group AD-Group1 will be placed-landed on ASA group-policy ASA-Group1-Allow-Access. In this ASA group then you can set vpn-tunnel-protocol to allow only svc and webvpn types for example.

2) user2 in AD group AD-Group2 will be placed-landed on ASA group-policy ASA-Group2-Deny-Access. In this ASA group then you can set vpn-tunnel-protocol to allow only ipsec types for example. Therefore svc/webvpn types would be disallowed.

Note: If the AD user is part of multiple AD groups, make sure the AD user’s memberof/group of interest is at the top of the list ,since as of 7.2.x , the appliance only enforces the 1st memberOf attribute that is parsed. The single AD group (memberOf) limitation has been removed in 8.0 where the ASA is able to make policy decisions based on multiple AD groups.

If you have any questions please see the following link for details:

Configuring an External Server

Joe