Cisco ASA - VPN Question

intel233 · May 29, 2018

I have a group (Active Dir) that people need to be a part of in order to be able to allow VPN access. I do not see any mention of this group in the config. Can someone tell me what I need to look at to find out how this Active Dir group is associated with VPN? I see the group policy and looking through it in the ADSM I still don't see it.

ADB100 · Jun 4, 2018

It depends. What external authentication server is the ASA using? Is it MS NPS (Radius) or Cisco ACS, Cisco ISE or something else?
Typically the Radius server will check for conditions such as AD group membership as part of the Radius policy so there might be nothing you can see on the ASA. For example on my NPS server I have a policy that checks for the condiditons:
Authentication Type=MS-CHAP v2
NAS Port Type=Virtual (VPN)
Windows Groups = DOMAIN\VPN Users

It could also be done with LDAP using LDAP Attribute Maps.

Andy

intel233 · Jun 4, 2018

I believe it is LDAP so shouldn't I see that group somewhere in the config

ADB100 · Jun 8, 2018

If its using LDAP then its probably LDAP Attribute Mappings that you need to look at. In the ASDM GUI go to AAA and look at 'LDAP Attribute Map'. There should be a Map created that maps a LDAP Attribute to a Cisco Attribute.
I have CN's mapped to Group Policies using the 'memberOf' LDAP attribute.

intel233 · Jun 8, 2018

Thanks... Looked there and nothing so not sure how its working

ADB100 · Jun 16, 2018

Probably not LDAP then... Check Radius

intel233 · Jun 16, 2018

I am pretty sure there are no radius servers but I will double check.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Cisco ASA - VPN Question

intel233

MIS

ADB100

Technical User

intel233

MIS

ADB100

Technical User

intel233

MIS

ADB100

Technical User

intel233

MIS

Similar threads

Part and Inventory Search

Sponsor