Cisco ASA - VPN Question

Question

Cisco ASA - VPN Question

intel233 (MIS)

(OP)

29 May 18 13:29

I have a group (Active Dir) that people need to be a part of in order to be able to allow VPN access. I do not see any mention of this group in the config. Can someone tell me what I need to look at to find out how this Active Dir group is associated with VPN? I see the group policy and looking through it in the ADSM I still don't see it.

ADB100 (TechnicalUser) · Answer 1 · 2018-06-04 16:26:59

It depends. What external authentication server is the ASA using? Is it MS NPS (Radius) or Cisco ACS, Cisco ISE or something else?
Typically the Radius server will check for conditions such as AD group membership as part of the Radius policy so there might be nothing you can see on the ASA. For example on my NPS server I have a policy that checks for the condiditons:
Authentication Type=MS-CHAP v2
NAS Port Type=Virtual (VPN)
Windows Groups = DOMAIN\VPN Users

It could also be done with LDAP using LDAP Attribute Maps.

Andy

intel233 (MIS) · Answer 2 · 2018-06-04 18:54:13

I believe it is LDAP so shouldn't I see that group somewhere in the config

ADB100 (TechnicalUser) · Answer 3 · 2018-06-08 16:06:17

If its using LDAP then its probably LDAP Attribute Mappings that you need to look at. In the ASDM GUI go to AAA and look at 'LDAP Attribute Map'. There should be a Map created that maps a LDAP Attribute to a Cisco Attribute.
I have CN's mapped to Group Policies using the 'memberOf' LDAP attribute.

intel233 (MIS) · Answer 4 · 2018-06-08 20:39:27

Thanks... Looked there and nothing so not sure how its working

ADB100 (TechnicalUser) · Answer 5 · 2018-06-16 11:35:12

Probably not LDAP then... Check Radius

intel233 (MIS) · Answer 6 · 2018-06-16 13:08:07

I am pretty sure there are no radius servers but I will double check.

Come Join Us!

Posting Guidelines

Jobs

Cisco ASA - VPN Question